CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy...

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1

Authentication, access control, and policy configuration

Lorrie Faith CranorOctober 2009

Outline

Definitions Authentication Access control Policy management Policy authoring

Definitions Identification - a claim about identity

– Who or what I am (global or local) Authentication - confirming that claims are true

– I am who I say I am– I have a valid credential

Authorization - granting permission based on a valid claim– Now that I have been validated, I am allowed to access certain resources

or take certain actions Access control system - a system that authenticates users and gives

them access to resources based on their authorizations– Includes or relies upon an authentication mechanism– May include the ability to grant course or fine-grained authorizations,

revoke or delegate authorizations– Also includes an interface for policy configuration and management

Building blocks of authentication Factors

– Something you know (or recognize)– Something you have– Something you are

Two factors are better than one– Especially two factors from different categories

What are some examples of each of these factors?

What are some examples of two-factor authentication?

Authentication mechanisms

Text-based passwords Graphical passwords Hardware tokens Public key crypto protocols Biometrics

Evaluation

Accessibility Memorability Security Cost Environmental considerations

Typical password advice

Typical password advice Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down

So what do you do when every web site you visit asks for a password?

Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1

Problems with Passwords Selection

– Difficult to think of a good password– Passwords people think of first are easy to guess

Memorability– Easy to forget passwords that aren’t frequently used– Difficult to remember “secure” passwords with a mix of upper & lower

case letters, numbers, and special characters Reuse

– Too many passwords to remember– A previously used password is memorable

Sharing– Often unintentional through reuse– Systems aren’t designed to support the way people work together and

share information

Mnemonic PasswordsFour

First letter of each word (with punctuation)

fsasya,oFSubstitute numbers for words or similar-looking letters

4sa7ya,oFSubstitute symbols for words or similar-looking letters

4sasya,oF

4sa7ya,oF

4s&7ya,oF

score s andaand seven sseven yearsy ago a ,, our o Fathers F

Source: Cynthia Kuo, SOUPS 2006

The Promise?

Phrases help users incorporate different character classes in passwords– Easier to think of character-for-word substitutions

Virtually infinite number of phrases Dictionaries do not contain mnemonics

The Problem?

“Goodness” of mnemonic passwords unknown– Yan et al. compared regular, mnemonic, and

randomly generated passwords• Used standard (non-mnemonic) dictionary• Effectively evaluated whether mnemonic passwords

contained dictionary words

Mnemonic password evaluation Mnemonic passwords are not a panacea for

password creation No comprehensive dictionary today May become more vulnerable in future

– Many people start to use them– Attackers incentivized to build dictionaries

Publicly available phrases should be avoided!

C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

Password keeper software

Run on PC or handheld Only remember one password

Single sign-on

Login once to get access to all your passwords

Biometrics

Graphical passwords

“Forgotten password” mechanism Email password or magic URL to address on file Challenge questions Why not make this the normal way to access infrequently

used sites?

Convenient SecureID 1

What problems does this approach solve?

What problems does it create?

Source:

http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx

Convenient SecureID 2

What problems does this approach solve?

What problems does is create?

Previously available at:

http://fob.webhop.net/

Browser-based mutual authentication Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/public-usable-a

uthentication/2007Mar/0004.html– User gets ID, password (or alternative), image,

hotspot at enrollment– Before user is allowed to login they are asked to

confirm URL and SSL cert and click buttons– Then login box appears and user enters username

and password (or alternative)– Server displays set of images, including user’s image

(or if user entered incorrect password, random set of images appear)

– User finds their image and clicks on hotspot• Image manipulation can help prevent replay attacks

What problems does this solve? What problems doesn’t it solve? What kind of testing is needed

Types of access control Discretionary access control

– Distributed, dynamic, users set access rules for resources they own and can delegate access to others

Role-based access control– Centralized admin assigns users to roles and sets

access rules based on roles And many others that vary

– discretionary/mandatory– centralized/distributed– granularity– grouping

Policy management problems Admins, large organizations understanding large

access control policies– Someone in marketing changed a policy and now we can’t

figure out why people in sales no longer have access to a document

– Who has access to this document anyway? End users creating and understanding policies

– Examples: File system permissions, Grey, Perspective, privacy rules

– Home users want to share some files with some other users, but don’t want to share everything

Roles for policy professionals

Policy makers Policy implementers

L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in

access-control management. CHI 2009.

http://www.ece.cmu.edu/~lbauer/papers/2009/chi09-management.pdf

Policy conflicts Given

– Alice is in GroupA and GroupB– FileQ is in FolderX

What types of conflicts might occur?

Direct conflict– Alice allowed access to FileQ– Alice denied access to FileQ

Group/group conflict– GroupA allowed access to FileQ– GroupB denied access to FileQ

User/group conflict– Alice allowed access to FileQ– GroupA denied access to FileQ

File/directory conflict– Alice allowed access to FileQ– Alice denied access to FolderX

2-way conflict – Alice allowed access to FileQ– GroupA denied access to FolderX

How can conflicts be resolved?

Default rule – deny/allow takes precedence Ordered rules – policy author sets order Ordered rules – most recent first/last Specificity – most/least specific takes precedence Weighted rules – policy author assigns weights Exceptions – policy authors defines exceptions

(essentially a partial ordering) Combination

Policy Authoring

Slides courtesy of Rob Reeder

R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis, Computer science department, Carnegie Mellon University, Pittsburgh, PA, July 2008. Available as tech report number CMU-CS-08-143.

Memogate

Proliferation of policiesFile systems

Location disclosure applications

Online social networks

Websites

Policy authoring

Policy – a set of rules that determine the conditions under which access is allowed to a resource

Policies are created, edited, and viewed – authored

Someone determines policy – the author Policies should fulfill the author’s intentions Policy authoring is done with a user interface

List of rules interfaces support policy authoring operations poorly Viewing policy

– Often only one rule at a time is visible– Difficult to understand policy by reading

long list of rules Changing policy

– Difficult to understand effect of changes because you can’t see all relevant parts of a policy together

Viewing group memberships– Usually requires using a separate

interface Detecting and resolving conflicts

– When rules interact, it isn’t clear what the outcome will be

Solution: Expandable Grid

Key insight:Center policy-authoring user interfaces around a display of the whole effective policy, not a list of rules

Expandable Grid details

Direct manipulation interface

To change a policy, just click on a cell and toggle the color

In order to make this work, we had to change the conflict resolution semantics– Widows semantics: Deny takes precedence, but

specificity precedence in resource dimension– Expandable Grid semantics: Recency precedence

User study of Expandable Grid for file permissions Laboratory study 2 conditions:

– Expandable Grid– Native Windows file permissions interface

36 participants, 18 per condition, novice policy authors Training:

– 3.5 minutes for Grid– 5.5 minutes for Windows

18 tasks based on a teaching assistant scenario

Example task: Jana Set permissions so that Jana can read and write the

Four-part Harmony.doc file in the Theory 101\Handouts folder.

Task setup:– Jana is a TA “this” year (did the study in 2007)

• Is in the group Theory 101 TAs 2007– Jana was a TA last year

• Is in the group Theory 101 TAs 2006– 2007 TAs are allowed READ & WRITE– 2006 TAs are denied READ & WRITE– Since Jana is in both groups, she is denied access

Jana task – common error

Learning Jana’s effective permissions

Click “Advanced” Click “Effective Permissions”

Select Jana

View Jana’s Effective Permissions

Learning Jana’s group membership5

Bring up Computer Management interface

Click on “Users”

Double-click Jana

Read Jana’s group membership

TAs 2006TAs 2007

Click “Member Of”

Learning Jana’s groups’ permissions

Click on TAs 2006

Read permissions for TAs 2006

Click on TAs 2007

Read permissions for TAs 2007

Changing Jana’s groups’ permissions

Click on TAs 2006

Change permissions for TAs 2006

Checking work

Click “Advanced”

Click “Effective Permissions”

Select Jana

View Jana’s Effective Permissions

XP support for fundamental operations

Viewing policy– Effective policy is 3 screens away (most authors

don’t find them) Changing policy

– Authors operate on rules, not effective policy Viewing group memberships

– In a separate application from file permissions Detecting and resolving conflicts

– Has to be done manually

Viewing effective policy

Viewing group membership

Changing policy

Resolving rule conflicts

Grid support for fundamental operations

Viewing policy– Effective policy directly shown on screen

Changing policy– Changes take one click

Viewing group memberships– Group memberships are shown in the trees

Detecting and resolving conflicts– Happens automatically

Results

Small-size Large-size

Task type Accuracy Time Accuracy Time

View simple

View complex

Change simple

Change complex

Compare groups

Conflict simple

Conflict complex

Memogate simulation

Precedence rule test

111s126s

89%56%

94%17%

89%94%

89%83%

67%61%

100%94%

89%94%

61%56%

10039%

100100

67%17%

67%83%

72%61%

94%78%

78%78%

29s64s

35s55s

30s52s

70sInsufficient data

39s103s

55s103s

20s66s

Insufficient data

42s118s

42s61s

39s67s

50s42s

73s104s

52sInsufficient data

105s116s

71s115s

0 50 100 150

GridWindows

Jana task

Conflict-resolution method Were the effects we observed due to the Expandable

Grid visualization, the recency precedence conflict-resolution method, or both?

We ran another study to find out– Implemented deny-takes-precedence in the Expandable

Grid interface– Ran 18 new participants with the new Grid interface

Results– On the Jana task, recency precedence made a big

difference– On the other tasks, the Grid was generally superior to

Windows no matter the conflict resolution scheme Both the Grid’s presentation aspects AND recency

precedence make a difference

Desired properties for conflict resolution method Direct manipulation Exception-rule preservation Order independence Fail safety

Problems with Windows and recency semantics

Windows: – No satisfactory way to solve Jana-like rule conflicts

Recency:– Too liberal in overriding existing rules– Does not work well in the presence of dynamic

changes, like adding a user to a group, moving a file

Our specificity semantics Conflict resolution procedure

– Resolve rule conflicts by choosing the more specific rule when possible (specificity precedence)

– Otherwise, use deny-precedence Benefits

– If group rules are in conflict, can make a user-level exception

– Exceptions stay in place even when group rules change

– User-level or file-level exceptions stay in place even in the presence of dynamic changes

Enhanced Grid

Semantics study #2 Laboratory study 3 conditions:

– Expandable Grid with specificity semantics– Expandable Grid with Windows semantics– Native Windows file permissions interface

54 participants, 18 per condition, novice policy authors 10 minutes training for all conditions Used large-scale Teaching Assistant scenario from prior

study 12 total tasks with counterbalanced task order

Results and discussion Conflict resolution semantics can have a big

effect on usability, but no perfect semantics Specificity helps resolve rule conflicts and makes

group rule exceptions easy Specificity semantics is not always better than

Windows semantics The grid/specificity combination overcomes

semantics disadvantages Whatever the semantics, show effective policy!

CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy...

Documents

Transcript of CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy...

NAME: DAVID CAMPBELL INTERVIEWER: LORRIE MELL …

Norman Sadeh 54M smart phones in Q1 2010...2010/05/27 · Norman Sadeh, “M-Commerce: Technologies, Services and Business Models”, Wiley 2002 Norman Sadeh, Jason Hong, Lorrie Cranor,

Underground Injection Well Overview, Lorrie Council

Lorrie Mayzlin

Nicolas Christin, CMU INI/CyLab Sally S. Yanagihara, CMU INI/CyLab Keisuke Kamataki, CMU CS/LTI.

Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren.

An Investigation of Facebook Grouping Robin Brewer Yael Mayer Lorrie Cranor Patrick Kelley facebook Home Profile Account Search.

Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”

Alessandro Acquisti Heinz College/CyLab Carnegie Mellon University

Cover - Dennis & Lorrie Montgomery’s 2006 Convertible OOn n … · 2018. 11. 19. · Membership Lorrie Montgomery (425) 806-4613 Lorrie@CorvetteMarqueClub.com Mem/Apparel Mona Cox

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Understanding the Human in.

How to Become a Writer - Lorrie Moore

The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.

jfk.hood.edujfk.hood.edu/Collection/Weisberg Subject Index Files/C Disk/Cranor...he Magic Fragments and Other Stories By Milicent Cranor Ballistics virtuoso Martin Luther Fackler,

Lorrie Faith Cranor AT&T Labs-Research Online Privacy Promise or Peril?

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research lorrie

Usable Security and Passwords, Cylab Corporate Partners Oct 2009

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

Recruiting and crowdsourcing - cs.umd.edummazurek/634-slides/08-recruiting-crowd... · Recruiting and crowdsourcing Michelle Mazurek Some slides adapted from Lorrie Cranor. 2 ...

Cost of Privacy: A HIPAA perspective - Lorrie Faith Cranor ...lorrie.cranor.org/courses/fa05/mpimenterichaa.pdf · Page 2 of 23 Abstract For many organizations, HIPAA compliance is