SECURITY & PROTECTION

INDEX

Security environment Security problem Design principles of security User Authentication

Security environment

Goal Threat

Data confidentiality

Exposure of data

Data integrity Tampering with data

System availability Denial of service

Goal

Data confidentially : ability to protect secretData integrity : ability to protect the data contentSystem availability : ability to continue to operate

Security problem

Natural causes - fires,floods,quakes,wars,etc. Hardware or Software errors - CPU malfunctions , unreadable disks , program bugs etc. Human error - Incorrect Data entry , wrong tape mounted , wrong program run,

Design principles for security• System design should be public

• Default should be no access• Check for current authority• Give each process least privilege possible• Protection mechanism should be• Simple• Uniform• In the lowest layers of system

• Scheme should be psychologically acceptable• Biggest thing: keep it simple!

User Authentication Problem: how does the computer know who you are? Solution: use authentication to identify

Something the user knows Something the user has Something the user is

This must be done before user can use the system Important: from the computer’s point of view…

Anyone who can duplicate your ID is you Fooling a computer isn’t all that hard…

User Authentication

Many ways to of authentication: - Passwords

- Pass phrases

- One – time Passwords (exa. Secure ID)

- Biometrics

Password

9

• Successful login lets the user in• Login rejected after entered name ( easier to crack)• Login rejected after name and password entered

Login: elmPassword: foobar

Welcome to Linux!

Login: jimpUser not found!

Login:

Login: elmPassword: barfleInvalid password!

Login:

Continue….. Passwords should be memorable

Users shouldn’t need to write them down! Users should be able to recall them easily

Passwords shouldn’t be stored Password file is often readable by all system users! Password must be checked against entry in this file

Solution: use hashing to hide “real” password One-way function converting password to meaningless string of digits

- Unix password hash, MD5, SHA-1 Difficult to find another password that hashes to the same random-looking string Knowing the hashed value and hash function gives no clue to the original password

Pass Phrases

“It is a sequence of words or other text used to control access to a computer system, program or data.”

• It is applicable to system that use the passphrase an encryption key.• In pass phrases following point are must remember: - long enough to be hard to guess - Not a famous quotation from literature , holy books, etc.• Hard to guess by intuition - even by someone who knows the user well• Easy to remember and type accurately

One – time passwords

“One time password is valid for only one login session or transaction.”

It also known as dynamic password. Two factor authentication - something you know - something you have Generation of a one time password are below: - Time synchronization - Mathematical algorithm

Benefits of OTPs

Can not be reused Avoid expensive hardware tokens Can be used over untrusted communication paths - Telnet, web-based, serial terminals Can use with a compromised user password

Biometric Use basic body properties to prove identity Examples include

Fingerprints Voice Hand size Retina patterns Iris patterns Facial features

Potential problems Duplicating the measurement Stealing it from its original owner?

Program threats

viruses Logic bombs Trap doors Trojan horses Exploiting bugs in OS code

Viruses

“ program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes “

Example: if you open email and a malicious piece of code was download onto your computer causing your computer to freeze

Logic bombs

“a piece of code intentionally inserted into software that will set off a malicious function when specified condition are met.”

Example: a programmer may hide a piece of code that

starts deleting files .

Trap doors

“The designer of a program or system might leave a hole in the software that only Operating System is capable of using. A clever trap door could be included in a compiler. The compiler could generate standard object code as well as a trap door, regardless of the source code being compiled “

Trojan horse

“A program in which malicious or harmful code is contained inside apparently harmless programming or data in such way that it can get control and do its chosen form of damage ,such as a running the file allocation table on your hard disk.”