University of Indonesia Magister of Information Technology
Information Systems Security Access Control Arrianto Mukti Wibowo, M.Sc., Faculty of Computer Science University of Indonesia
[email protected]
University of Indonesia Magister of Information Technology
Access Control Systems & Methodology
University of Indonesia – University of Budi Luhur Magister of Information Technology
Tujuan domain • Mempelajari mekanisme dan metode yang dipergunakan para administrator/manager untuk mengontrol apa yang boleh diakses user, termasuk apa yang boleh dilakukan setelah otentikasi dan otorisasi, termasuk pemantauannya.
University of Indonesia – University of Budi Luhur Magister of Information Technology
Topik bahasan • Identification, • authentication, • authorization, • access control models,
• access control techniques,
• access control methods, • access control administration, • threats to access controls
University of Indonesia – University of Budi Luhur Magister of Information Technology
Who?
University of Indonesia – University of Budi Luhur Magister of Information Technology
How?
University of Indonesia – University of Budi Luhur Magister of Information Technology
What is access control? • Access control is the heart of security • Definitions: – The ability to allow only authorized users, programs or processes system or resource access – The granting or denying, according to a particular security model, of certain permissions to access a resource – An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on preestablished rules.
7
University of Indonesia – University of Budi Luhur Magister of Information Technology
How can AC be implemented? • Administrative controls – Policies – Procedures
• Logical controls – Passwords
• Physical controls – Electric door 8
University of Indonesia – University of Budi Luhur Magister of Information Technology
What does AC hope to protect? • Data - Unauthorized viewing, modification or copying
• System - Unauthorized use, modification or denial of service • It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure
9
University of Indonesia – University of Budi Luhur Magister of Information Technology
Administrative access control • Awareness training • Background checks • Separation of duties
• Split knowledge • Policies • Data classification
• Effective user registration • Termination procedures • Change control procedures 10
University of Indonesia – University of Budi Luhur Magister of Information Technology
Physical access control • Guards • Locks • Mantraps
• ID badges • CCTV, sensors, alarms • Biometrics
• Fences - the higher the voltage the better • Card-key and tokens • Guard dogs 11
University of Indonesia – University of Budi Luhur Magister of Information Technology
Man Trap 1. Memeasukkan kartu identifikasi (what you have) 2. Mengetikkan 12 digit angka rahasia (what you know) 3. Komputer secara acak akan memilihkan katakata yang harus diucapkan ulang (who you are)
University of Indonesia – University of Budi Luhur Magister of Information Technology
Typical Access Rights
Read, inquiry or copy only
Write, create, update or delete only
Execute only
A combination of the above
University of Indonesia – University of Budi Luhur Magister of Information Technology
Mandatory vs Discretionary Access Control • Mandatory – “The system decided how the data will be shared” – Enforces corporate security policy – Compares sensitivity of information resources
• Discretionary – “You decided how you want to protect and share your data” – Enforces data-owner-defined sharing of information resources
University of Indonesia – University of Budi Luhur Magister of Information Technology
Mandatory Access Control • Assigns sensitivity levels, AKA labels • Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level. • Only the administrators, not object owners, make change the object level • Generally more secure than DAC
• Orange book B-level • Used in systems where security is critical, i.e., military • Hard to program for and configure & implement 15
University of Indonesia – University of Budi Luhur Magister of Information Technology
Mandatory Access Control (Continued)
• Downgrade in performance • Relies on the system to control access • Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file.
• All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level 16
University of Indonesia – University of Budi Luhur Magister of Information Technology
Discretionary Access Control • Access is restricted based on the authorization granted to the user • Orange book C-level • Prime use to to separate and protect users from unauthorized data
• Used by Unix, NT, NetWare, Linux, Vines, etc. • Relies on the object owner to control access 17
University of Indonesia – University of Budi Luhur Magister of Information Technology
Access control lists (ACL) • A file used by the access control system to determine who may access what programs and files, in what method and at what time • Different operating systems have different ACL terms • Types of access: – Read/Write/Create/Execute/Modify/Delete/Rename
18
University of Indonesia – University of Budi Luhur Magister of Information Technology
Standard UNIX file permissions Permission R (read) X (execute) W (write)
Allowed action, if Allow action if object is a object is a file directory Reads contents of a file List contents of the directory Execute file as a program Search the directory Change file contents Add, rename, create files and subdirectories
19
University of Indonesia – University of Budi Luhur Magister of Information Technology
Standard NT file permissions Permission
Allowed action, if object is a file No access None List N/A Read RX Add N/A Add & Read N/A Change RWXD Full Control All R- Read X - Execute W - Write
Allow action if object is a directory None RX RX WX RWX RWXD All D - Delete
20
University of Indonesia – University of Budi Luhur Magister of Information Technology
Authentication 3 types of authentication:
Something you know - Password, PIN, mother‟s maiden name, passcode, fraternity chant
Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, iris scan, retina scan, body odor, DNA 21
University of Indonesia – University of Budi Luhur Magister of Information Technology
Multi-factor authentication
2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication.
ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT default)
3-factor authentication -- For highest security
Username + Password + Fingerprint Username + Passcode + SecurID token
22
University of Indonesia – University of Budi Luhur Magister of Information Technology
Problems with passwords
Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc.
Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users choose easily guessed passwords!
Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember
Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction 23
University of Indonesia – University of Budi Luhur Magister of Information Technology
Kerugian Password • Eavesdropper mencuri password saat sedang diucapkan • Maling bisa mencuri daftar password di server • Password mungkin mudah ditebak • Guna meningkatkan keamanan penggunaan password, mungkin komputer justru malah meningkatkan ketidaknyamanan penggunaan komputer. Mis: komputer yang memilihkan password, harus ganti password setelah sekian lama
University of Indonesia – University of Budi Luhur Magister of Information Technology
Classic password rules • The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin • Don‟t use: – common names, DOB, spouse, phone #, etc. – word found in dictionaries – password as a password
– systems defaults
25
University of Indonesia – University of Budi Luhur Magister of Information Technology
On-Line password guessing & prevensinya • Dictionary attack • Ada komputer yang memaksa pemasukkan password hanya oleh manusia (bukan program). Manusia relatif tidak cepat. • Ada maximum retries. Mis: kartu ATM bisa ditelan. Tapi bisa menyebabkan vandalisme: jika dia punya seluruh username, dia bisa coba bikin program yang mencoba login ke seluruh username. Setelah 5 kali, system akan lock! • Ada cara lain: setiap memasukkan password yang salah akan diproses secara l a m b a t s e k a l I .. .. .. ! • Bisa mendeteksi: last successful & unsucessfull login dari mana dan kapan • Ada yang memaksa user menggunakan password yang dibuat oleh komputer: user tak senang mengingatnya… sehingga user menulisnya di kertas! Mis: geocities • Suka pakai kombinasi @$*%$ angka huruf BESAR • Ada juga yang memaksa ganti password setelah sekian lama
University of Indonesia – University of Budi Luhur Magister of Information Technology
Off-line Password Guessing • Menebak password melalui hashnya, karena hash dari password yang umum pasti sama • Backup dari disk yang ada di server juga harus dienkripsi
University of Indonesia – University of Budi Luhur Magister of Information Technology
Password distribution • User datang ke administrator. Kalo ada orang menyamar? • Pakai KTP/SIM/KTM yang ada fotonya • User di depan terminal khusus memilih passwordnya. • Atau user diberi password yang dipakai untuk login pertama kali, habis itu dipaksa mengganti password. Disebut pre-expired password • Cara yang tidak tepat: passwordnya adalah NPM, dan memberitahu dengan cara broadcast (misalnya posting di papan pengumuman). • Kalau di bank, kita akan dikirimi surat yang isinya PIN kita. Pendapat anda?
University of Indonesia – University of Budi Luhur Magister of Information Technology
Authentication Token • • • •
What you have! kunci rumah, kartu kredit bisa dicuri! Mungkin keuntungannya psikologis: orang kurang rela meminjamkan kartu ketimbang password! • Biasanya butuh hardware tambahan: misalnya smart card / magentic card reader
University of Indonesia – University of Budi Luhur Magister of Information Technology
Smart Card Ukuran kartu kredit, tapi di dalamnya ada processor. Ada macammacam: • PIN protected memory card: isi hanya bisa dibuka kalau PIN-nya benar • Cryptographic challenge & response cards • Contactless smart card Kegunaannya: – Bank Cards: debit & credit – ID-card, termasuk untuk login. One card for all access – Wallet for e-cash – Payphone – Loyality program – Ticket parkir – Health-card: bisa jaga rahasia
Bank Card Dr. John Tralala 4532 1234 8321 3912 exp 04/03
University of Indonesia – University of Budi Luhur Magister of Information Technology
Biometrics • Authenticating a user via human characteristics • Using measurable physical characteristics of a person to prove their identification – Fingerprint – signature dynamics – Iris – retina – voice – face – DNA, blood 31
University of Indonesia – University of Budi Luhur Magister of Information Technology
Identifikasi Fisik Manusia
Fingerprint scan
Hand Signature
Hand Geometry
University of Indonesia – University of Budi Luhur Magister of Information Technology
Advantages of fingerprint-based biometrics
Can‟t be lent like a physical key or token and can‟t be forgotten like a password
Good compromise between ease of use, template size, cost and accuracy
Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases
Basically lasts forever -- or at least until amputation or dismemberment
Makes network login & authentication effortless 33
University of Indonesia – University of Budi Luhur Magister of Information Technology
Biometric Disadvantages
Still relatively expensive per user
Companies & products are often new & immature
No common API or other standard
Some hesitancy for user acceptance
34
University of Indonesia – University of Budi Luhur Magister of Information Technology
Performance Issues • False Rejection Rate (type 1 error): prosentase subjek yang benar, tapi ditolak • False Acceptance Rate (type 2 error): prosentase subjek yang invalid, tapi diakui sistem • Cross Error Rate (CER): FRR sama dengan FAR • Masalahnya kalau sensitifitas dinaikkan, FRR naik, FAR turun. Perlu dicarititik optimum, yakni CER
University of Indonesia – University of Budi Luhur Magister of Information Technology
Cross Error Rate FRR FAR
% CER
Sensitifitas
University of Indonesia – University of Budi Luhur Magister of Information Technology
Random Number Generator • Misalnya KeyBCA • Challenge & respond
• Termasuk apa? – What you know? – What you have? – Who you are?
University of Indonesia Magister of Information Technology
Logical Access Control
University of Indonesia – University of Budi Luhur Magister of Information Technology
Logical Access Controls • Akses kontrol infrastruktur TI dapat dilakukan pada berbagai tingkat – Front end & Back end – How networks segregate & protect access to information resources.
• Paths of Logical Access – General points of entry • Network connectivity • Remote access • Operator console • Online workstations or terminals
University of Indonesia – University of Budi Luhur Magister of Information Technology
Logical Access Controls: Protection • Logical Access Control Software – Prevents unauthorized access and modification to an organization‟s sensitive data and use of system critical functions – Semua layer: networks, operating systems, databases & application systems – Fungsi software: • Identifikasi dan otentikasi • Otorisasi akses • Monitor: Logging aktifitas user, reporting
– Implementasi paling efektif: tingkat networks dan operating system (membatasi privileges pada low level)
University of Indonesia – University of Budi Luhur Magister of Information Technology
Logical Access Controls
Operating systems access control • User identification and authentication mechanisms • Restricted logon IDs • Rules for access to specific information resources
• Create individual accountability and auditability • Create or change user profiles • Log events
• Log user activities • Report capabilities
University of Indonesia – University of Budi Luhur Magister of Information Technology
Database and/or application-level access control • Create or change data files and database profiles • Verify user authorization at the application and transaction levels
• Verify user authorization within the application • Verify user authorization at the field level for changes within a database
• Verify subsystem authorization for the user at the file level • Log database/data communications access activities for monitoring access violations
University of Indonesia – University of Budi Luhur Magister of Information Technology
Single sign-on (SSO) SSO is the process for the consolidating all organization platform-based administration, authentication and authorization functions into a single centralized administrative function. A single sign-on product that interfaces with: client-server and distributed systems mainframe systems network security including remote access mechanisms
University of Indonesia – University of Budi Luhur Magister of Information Technology
Single Sign On
University of Indonesia – University of Budi Luhur Magister of Information Technology
Single sign-on (SSO) advantages Multiple passwords are no longer required, therefore, whereby a user may be more inclined and motivated to select a stronger password It improves an administrator‟s ability to manage users‟ accounts and authorizations to all associates systems
It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications It reduces the time taken by users to log into multiple applications and platforms
University of Indonesia – University of Budi Luhur Magister of Information Technology
Single sign-on (SSO) disadvantages Support for all major operating system environments is difficult The costs associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization‟s information assets
University of Indonesia – University of Budi Luhur Magister of Information Technology
Key Distribution Centre (gambaran umum)
University of Indonesia – University of Budi Luhur Magister of Information Technology
Untung rugi KDC • Keuntungan: – kalau ada user baru, tinggal menambahkan di KDC – kalau seorang user ter-compromised, tidak semua node akan tercompromised
• Kerugiannya: – KDC bisa memalsukan jati diri orang lain – KDC adalah titik lemah dari sistem – Performa KDC bisa berkurang kalau banyak sekali orang berhubungan ke KDC pada waktu yang bersamaan.
University of Indonesia – University of Budi Luhur Magister of Information Technology
Contoh KDC: Kerberos 5 • Dimuat dalam RFC 1510 oleh Kohl dan Neuman pada tahun 1993, dan source code-nya bisa diambil dari http://web.mit.edu. • Produk yang menggunakan antara lain OSF Distributed Computing Environment (DCE) dan Windows 2000.
University of Indonesia – University of Budi Luhur Magister of Information Technology
Objek Kerberos •
Authentication: Token yang dibuat oleh client dan dikirim ke server untuk membuktikan jati diri user • Ticket: diterbitkan oleh TGS (ticket granting service), yang dapat “ditunjukkan” oleh klien kepada suatu server layanan tertentu (misalnya database server). • Session key: kunci random yang dibuat oleh Kerberos dan diberikan kepada klien saat ingin berkomunikasi dengan server tertentu. Catatan: • Klien membutuhkan „ticket‟ dan session key untuk berhubungan dg server tertentu, dimana ticket tersebut memiliki periode pemakaian beberapa jam.
University of Indonesia – University of Budi Luhur Magister of Information Technology
University of Indonesia – University of Budi Luhur Magister of Information Technology
Rule of least privilege • One of the most fundamental principles of infosec • States that: Any object (user, administrator, program, system) should have only the least privileges the object needs to perform its assigned task, and no more. • An AC system that grants users only those rights necessary for them to perform their work
• Limits exposure to attacks and the damage an attack can cause • Ensure that only a minimal set of users have root access 52
University of Indonesia – University of Budi Luhur Magister of Information Technology