Post on 22-Dec-2015
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1
Authentication, access control, and policy configuration
Lorrie Faith CranorOctober 2009
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2
Outline
Definitions Authentication Access control Policy management Policy authoring
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3
Definitions Identification - a claim about identity
– Who or what I am (global or local) Authentication - confirming that claims are true
– I am who I say I am– I have a valid credential
Authorization - granting permission based on a valid claim– Now that I have been validated, I am allowed to access certain resources
or take certain actions Access control system - a system that authenticates users and gives
them access to resources based on their authorizations– Includes or relies upon an authentication mechanism– May include the ability to grant course or fine-grained authorizations,
revoke or delegate authorizations– Also includes an interface for policy configuration and management
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4
Building blocks of authentication Factors
– Something you know (or recognize)– Something you have– Something you are
Two factors are better than one– Especially two factors from different categories
What are some examples of each of these factors?
What are some examples of two-factor authentication?
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5
Authentication mechanisms
Text-based passwords Graphical passwords Hardware tokens Public key crypto protocols Biometrics
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6
Evaluation
Accessibility Memorability Security Cost Environmental considerations
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7
Typical password advice
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8
Typical password advice Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down
So what do you do when every web site you visit asks for a password?
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9
Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 10
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 11
Problems with Passwords Selection
– Difficult to think of a good password– Passwords people think of first are easy to guess
Memorability– Easy to forget passwords that aren’t frequently used– Difficult to remember “secure” passwords with a mix of upper & lower
case letters, numbers, and special characters Reuse
– Too many passwords to remember– A previously used password is memorable
Sharing– Often unintentional through reuse– Systems aren’t designed to support the way people work together and
share information
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12
Mnemonic PasswordsFour
First letter of each word (with punctuation)
fsasya,oFSubstitute numbers for words or similar-looking letters
4sa7ya,oFSubstitute symbols for words or similar-looking letters
F
4sasya,oF
Four
4sa7ya,oF
4s&7ya,oF
score s andaand seven sseven yearsy ago a ,, our o Fathers F
Source: Cynthia Kuo, SOUPS 2006
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13
The Promise?
Phrases help users incorporate different character classes in passwords– Easier to think of character-for-word substitutions
Virtually infinite number of phrases Dictionaries do not contain mnemonics
Source: Cynthia Kuo, SOUPS 2006
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14
The Problem?
“Goodness” of mnemonic passwords unknown– Yan et al. compared regular, mnemonic, and
randomly generated passwords• Used standard (non-mnemonic) dictionary• Effectively evaluated whether mnemonic passwords
contained dictionary words
Source: Cynthia Kuo, SOUPS 2006
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15
Mnemonic password evaluation Mnemonic passwords are not a panacea for
password creation No comprehensive dictionary today May become more vulnerable in future
– Many people start to use them– Attackers incentivized to build dictionaries
Publicly available phrases should be avoided!
C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
Source: Cynthia Kuo, SOUPS 2006
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16
Password keeper software
Run on PC or handheld Only remember one password
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17
Single sign-on
Login once to get access to all your passwords
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18
Biometrics
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19
Graphical passwords
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20
“Forgotten password” mechanism Email password or magic URL to address on file Challenge questions Why not make this the normal way to access infrequently
used sites?
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21
Convenient SecureID 1
What problems does this approach solve?
What problems does it create?
Source:
http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22
Convenient SecureID 2
What problems does this approach solve?
What problems does is create?
22
Previously available at:
http://fob.webhop.net/
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23
Browser-based mutual authentication Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/public-usable-a
uthentication/2007Mar/0004.html– User gets ID, password (or alternative), image,
hotspot at enrollment– Before user is allowed to login they are asked to
confirm URL and SSL cert and click buttons– Then login box appears and user enters username
and password (or alternative)– Server displays set of images, including user’s image
(or if user entered incorrect password, random set of images appear)
– User finds their image and clicks on hotspot• Image manipulation can help prevent replay attacks
What problems does this solve? What problems doesn’t it solve? What kind of testing is needed
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24
Types of access control Discretionary access control
– Distributed, dynamic, users set access rules for resources they own and can delegate access to others
Role-based access control– Centralized admin assigns users to roles and sets
access rules based on roles And many others that vary
– discretionary/mandatory– centralized/distributed– granularity– grouping
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25
Policy management problems Admins, large organizations understanding large
access control policies– Someone in marketing changed a policy and now we can’t
figure out why people in sales no longer have access to a document
– Who has access to this document anyway? End users creating and understanding policies
– Examples: File system permissions, Grey, Perspective, privacy rules
– Home users want to share some files with some other users, but don’t want to share everything
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26
Roles for policy professionals
Policy makers Policy implementers
L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in
access-control management. CHI 2009.
http://www.ece.cmu.edu/~lbauer/papers/2009/chi09-management.pdf
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27
Policy conflicts Given
– Alice is in GroupA and GroupB– FileQ is in FolderX
What types of conflicts might occur?
Direct conflict– Alice allowed access to FileQ– Alice denied access to FileQ
Group/group conflict– GroupA allowed access to FileQ– GroupB denied access to FileQ
User/group conflict– Alice allowed access to FileQ– GroupA denied access to FileQ
File/directory conflict– Alice allowed access to FileQ– Alice denied access to FolderX
2-way conflict – Alice allowed access to FileQ– GroupA denied access to FolderX
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28
How can conflicts be resolved?
Default rule – deny/allow takes precedence Ordered rules – policy author sets order Ordered rules – most recent first/last Specificity – most/least specific takes precedence Weighted rules – policy author assigns weights Exceptions – policy authors defines exceptions
(essentially a partial ordering) Combination
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29
Policy Authoring
Slides courtesy of Rob Reeder
R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis, Computer science department, Carnegie Mellon University, Pittsburgh, PA, July 2008. Available as tech report number CMU-CS-08-143.
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30
Memogate
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31
Proliferation of policiesFile systems
Location disclosure applications
Online social networks
Websites
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32
Policy authoring
Policy – a set of rules that determine the conditions under which access is allowed to a resource
Policies are created, edited, and viewed – authored
Someone determines policy – the author Policies should fulfill the author’s intentions Policy authoring is done with a user interface
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 33
List of rules interfaces support policy authoring operations poorly Viewing policy
– Often only one rule at a time is visible– Difficult to understand policy by reading
long list of rules Changing policy
– Difficult to understand effect of changes because you can’t see all relevant parts of a policy together
Viewing group memberships– Usually requires using a separate
interface Detecting and resolving conflicts
– When rules interact, it isn’t clear what the outcome will be
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 34
Solution: Expandable Grid
Key insight:Center policy-authoring user interfaces around a display of the whole effective policy, not a list of rules
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 35
Expandable Grid details
35
Jana
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 36
Direct manipulation interface
To change a policy, just click on a cell and toggle the color
In order to make this work, we had to change the conflict resolution semantics– Widows semantics: Deny takes precedence, but
specificity precedence in resource dimension– Expandable Grid semantics: Recency precedence
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 37
User study of Expandable Grid for file permissions Laboratory study 2 conditions:
– Expandable Grid– Native Windows file permissions interface
36 participants, 18 per condition, novice policy authors Training:
– 3.5 minutes for Grid– 5.5 minutes for Windows
18 tasks based on a teaching assistant scenario
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 38
Example task: Jana Set permissions so that Jana can read and write the
Four-part Harmony.doc file in the Theory 101\Handouts folder.
Task setup:– Jana is a TA “this” year (did the study in 2007)
• Is in the group Theory 101 TAs 2007– Jana was a TA last year
• Is in the group Theory 101 TAs 2006– 2007 TAs are allowed READ & WRITE– 2006 TAs are denied READ & WRITE– Since Jana is in both groups, she is denied access
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 39
Jana task – common error
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 40
Learning Jana’s effective permissions
2
4
Click “Advanced” Click “Effective Permissions”
Select Jana
View Jana’s Effective Permissions
1
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 41
Learning Jana’s group membership5
6
8
9
Bring up Computer Management interface
Click on “Users”
Double-click Jana
Read Jana’s group membership
TAs 2006TAs 2007
7
Click “Member Of”
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 42
Learning Jana’s groups’ permissions
10 11
12
13
Click on TAs 2006
Read permissions for TAs 2006
Click on TAs 2007
Read permissions for TAs 2007
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 43
Changing Jana’s groups’ permissions
14 15
Click on TAs 2006
Change permissions for TAs 2006
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 44
Checking work
17
19
16
Click “Advanced”
Click “Effective Permissions”
Select Jana
View Jana’s Effective Permissions
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 45
XP support for fundamental operations
Viewing policy– Effective policy is 3 screens away (most authors
don’t find them) Changing policy
– Authors operate on rules, not effective policy Viewing group memberships
– In a separate application from file permissions Detecting and resolving conflicts
– Has to be done manually
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 46
Viewing effective policy
1
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 47
Viewing group membership
2
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 48
Changing policy
3
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 49
Resolving rule conflicts
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 50
Grid support for fundamental operations
Viewing policy– Effective policy directly shown on screen
Changing policy– Changes take one click
Viewing group memberships– Group memberships are shown in the trees
Detecting and resolving conflicts– Happens automatically
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 51
Results
Small-size Large-size
Task type Accuracy Time Accuracy Time
View simple
View complex
Change simple
Change complex
Compare groups
Conflict simple
Conflict complex
Memogate simulation
Precedence rule test
111s126s
89%56%
94%17%
89%94%
61%0%
89%83%
67%61%
89%0%
100%94%
89%94%
61%56%
10039%
100100
67%17%
67%83%
72%61%
1006%
94%78%
78%78%
29s64s
35s55s
30s52s
70sInsufficient data
39s103s
55s103s
29s
20s66s
Insufficient data
42s118s
42s61s
39s67s
50s42s
73s104s
52sInsufficient data
105s116s
71s115s
100s
0 50 100 150
1
143s
GridWindows
Jana task
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 52
Conflict-resolution method Were the effects we observed due to the Expandable
Grid visualization, the recency precedence conflict-resolution method, or both?
We ran another study to find out– Implemented deny-takes-precedence in the Expandable
Grid interface– Ran 18 new participants with the new Grid interface
Results– On the Jana task, recency precedence made a big
difference– On the other tasks, the Grid was generally superior to
Windows no matter the conflict resolution scheme Both the Grid’s presentation aspects AND recency
precedence make a difference
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 53
Desired properties for conflict resolution method Direct manipulation Exception-rule preservation Order independence Fail safety
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 54
Problems with Windows and recency semantics
Windows: – No satisfactory way to solve Jana-like rule conflicts
Recency:– Too liberal in overriding existing rules– Does not work well in the presence of dynamic
changes, like adding a user to a group, moving a file
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 55
Our specificity semantics Conflict resolution procedure
– Resolve rule conflicts by choosing the more specific rule when possible (specificity precedence)
– Otherwise, use deny-precedence Benefits
– If group rules are in conflict, can make a user-level exception
– Exceptions stay in place even when group rules change
– User-level or file-level exceptions stay in place even in the presence of dynamic changes
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 56
Enhanced Grid
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 57
Enhanced Grid
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 58
Semantics study #2 Laboratory study 3 conditions:
– Expandable Grid with specificity semantics– Expandable Grid with Windows semantics– Native Windows file permissions interface
54 participants, 18 per condition, novice policy authors 10 minutes training for all conditions Used large-scale Teaching Assistant scenario from prior
study 12 total tasks with counterbalanced task order
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 59
Results and discussion Conflict resolution semantics can have a big
effect on usability, but no perfect semantics Specificity helps resolve rule conflicts and makes
group rule exceptions easy Specificity semantics is not always better than
Windows semantics The grid/specificity combination overcomes
semantics disadvantages Whatever the semantics, show effective policy!