Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Chapter 3 Part 3 Pages 209 to 227.

Similar presentations

Presentation on theme: "Access Control Chapter 3 Part 3 Pages 209 to 227."— Presentation transcript:

1 Access Control Chapter 3 Part 3 Pages 209 to 227

2 SSO Page 219

3 Kerberos Authentication protocol Mid-1980’s MIT Has been used for years in UNIX, Windows 2000, 2003, 2008 Kerberos is a single sign-on system for distributed environments Use symmetric key cryptography (shared secret key)

4 Kerberos Figure 3-12 on page 211 KDC – Key Distribution Center – Holds all users’ and services’ secret keys AS – Authentication Service – On KDC – Send your username and password – TGT – Ticket Granting Ticket encrypted with secret key

5 Kerberos To access print server send TGT to TGS – Ticket Granting Service TGS sends a ticket with two copies of session key (one encrypted with user’s secret key and one with the print server’s secret key) User extract session key sends the ticket to print server User can send document.

6 Kerberos None of the principals trust each other User enter username and password only once – SSO KDC is a single point of failure Secret keys are temporarily stored on user’s workstation – possible attack OS needs to prevent password guessing by tracking login attempts

7 SESAME Extends Kerberos by using asymmetric (public key) technology to sign PAC (Privileged Attribute Certificate) using PAS private key – PAC contains user’s identity, access time period

8 Security Domain Domain is a set of resources available to a subject Figure 3-14 on page 216 Security domain – domain working under the one security policy and managed by the one group Separated by logical boundaries such as firewalls with ACLs

9 Security Domains Figure 3-14 on page 216 Hierarchical Isolated by using subnets Figure 3-15 subject access different domains depending on trust level

10 Directory Services Network directory service – Identifies all resources (printer, file domain controllers) using a hierarchical naming to identify resources logical and physical location using X.500 standard – Request use LDAP (Lightweight Directory Access Protocol) – Enforce security policy

11 Thin Clients Diskless computers Computer cannot do anything on their own so enforces strict security policy No USB or CD-ROM for theft of information

12 SSO Page 219

13 Access Control Models Discretionary Mandatory Role Based Built into the kernel of the OS

14 Discretionary Access Control Owner of the resource determines which can access the resource Most commonly uses ACLs (Access Control Lists) Windows, UNIX, Mac Flexible, less administration

15 Discretionary Access Control Malware can install itself under the security context of the user Constant battle between functionality and security Nondiscretionary access – Classroom computers – Cannot install software

16 Mandatory Access Control User do not have discretion of determining who can access objects Cannot install software – Malware cannot be installed Used by military to maintain top secret information

17 Mandatory Access Control User is given security clearance (confidential, secret, top secret) Data is given security label (confidential, secret, top secret) SE Linux A lot of administrative overhead, expensive, and not user-friendly

18 Sensitivity Labels = Security Labels Classification – Confidential, Secret, Top Secret Category – UN, Information warfare, Treasury

19 Role-Based Access Control Job role with an organization Centrally administered Best if high employee turnover Organizations are moving toward RBAC

20 Core RBAC When user logins roles and groups are assigned Can be configured for time of day and location

21 Hierarchical RBAC Models organizational structure The higher you are in the chain of command, the more access you will most likely have

22 Separation of Duties Static Separation of Duty Relationship through RBAC – Deter fraud – Cashier and Accounts receivable Dynamic Separation of Duties through RBAC – Deter fraud by constraining the combination of privileges

23 Access Control Models Page 227

Download ppt "Access Control Chapter 3 Part 3 Pages 209 to 227."

Similar presentations

Ads by Google