02-06-2012, 01:47 PM
Access Control
Access Control.ppt (Size: 3.31 MB / Downloads: 103)
Two parts to access control
Authentication: Who goes there?
Determine whether access is allowed
Authenticate human to machine
Authenticate machine to machine
Authorization: Are you allowed to do that?
Once you have access, what can you do?
Enforces limits on actions
Note: Access control often used as synonym for authorization
Trouble with Passwords
“Passwords are one of the biggest practical problems facing security engineers today.”
“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed.)”
Why Passwords?
Why is “something you know” more popular than “something you have” and “something you are”?
Cost: passwords are free
Convenience: easier for SA to reset pwd than to issue user a new thumb
Attacks on Passwords
Attacker could…
Target one particular account
Target any account on system
Target any account on any system
Attempt denial of service (DoS) attack
Common attack path
Outsider normal user administrator
May only require one weak password
Password File
Bad idea to store passwords in a file
But need a way to verify passwords
Cryptographic solution: hash the passwords
Store y = h(password)
Can verify entered password by hashing
If attacker obtains password file, he does not obtain passwords
But attacker with password file can guess x and check whether y = h(x)
If so, attacker has found password!