The discretionary access control (DAC) model is the most widely used access control method. It is defined by the Trusted Computer System Evaluation Criteria (TCSEC) as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restricted by mandatory access control).”

DAC allows the owner of a resource to manage who can or cannot access the item. Owners maintain this access through ACLs, and they can delegate the ability to modify permissions to others. This removes the need for systems administrators to determine the importance of a document and who should have the necessary control. It puts the responsibility in the hands of the owner of the resource. Other than some highly specialized cases in the defense industry, every modern operating system supports DAC.

Mandatory access control (MAC) allows a systems administrator to maintain the security aspect of an object. It was established by TCSEC and is defined as “a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorizations (i.e., clearance) of subjects to access information of such sensitivity.” MAC systems are sometimes used by government agencies to implement the national security classification system. The use of MAC in these cases ensures that one user cannot grant a second user access to information that would exceed the second user’s security clearance. For example, a user with access to a Top Secret document could not delegate that access to a user who possesses only a Confidential security clearance.

The access for an object is based on the sensitivity of the object versus the subject matter. The object’s access is related to the user who is attempting to access it. For example, if an object has a classification of Secret, the subject attempting to access the object must have a clearance of Secret or Top Secret. No ACLs are associated with the object, and neither the object nor the system user can change the sensitivity level. Similarly, a subject with a Top Secret clearance has access to an object that is at or below the clearance level.

MAC is considered one of the most secure access methods because it requires both the object and the subject to have security labels assigned to them. It is often used in a multilevel security (MLS) system. A MLS system allows the computer system to simultaneously process information of different classification levels and ensures a subject with the correct clearance can access only the information at his or her authorization level. In contrast, a multiple single level (MSL) environment does not allow different classification levels to commingle. A separate system would be used for each classification level.

Role-based access control (RBAC) is also known as nondiscretionary access control. It grants access to an object based on the subject’s role within the system. Three aspects are taken under consideration within an RBAC system:

• Role assignment—A subject can execute a transaction only if the subject has selected or been assigned a role. All active users are required to have an active role. For example, if the user Kevin is assigned to the Human Resources role, he is allowed to perform only the actions that this role allows.
• Role authorization—A subject’s active role must be authorized for the subject. This ensures that users can only take on roles that they are authorized for.
• Transaction authorization—A subject can execute a transaction only if the transaction is authorized for the subject’s active role.

Administering access within an RBAC system is considered easier for the administrator because the access is based on roles within the organization and what each role is allowed to do. For example, an administrator may define a Human Resources role for the entire HR organization. If Kevin moves from the HR department to the finance department, he is simply removed from the Human Resources role and placed in the Finance role.

Separation of duties expands the RBAC controls. For example, although Kevin’s role may be Finance, this does not mean that he needs full access to all financial data. Separating each role into the activities users are responsible for provides more granular access control. This ensures that no single user has enough control to compromise the system. This mechanism helps to deter fraud, ensuring that at least two people are required to perform a critical task. Separation of duties is also related to the least-privilege security principle. This principle states that a user should not have any more access than is necessary for the user to do his or her job.

Attribute-based access control (ABAC) systems grant access to the subject based on additional attributes that they must verify. For example, when accessing a system that is available only to residents of a particular town, the subject may have to enter an address within that town. This allows the administrator to have a more granular access control capability to the particular objects.

Attribute-based access control systems are an example of contextual access controls that use information about the current state of the user, connection, and device to make authorization decisions. Another common example of contextual access control is history-based access control (HBAC), which takes the past and present activity of the user into account when making access control decisions. For example, if a user who never logs on from nonoffice locations suddenly logs on from a foreign country, an HBAC system might deny this connection attempt because it differs from past activity.

Many organizations today are adopting Bring Your Own Device (BYOD) policies that allow users to access corporate systems and data using personally owned devices. To protect assets, organizations often limit BYOD device access to data. For example, companies might allow BYOD devices to access email and calendaring systems but deny those same devices access to restricted file servers containing extremely sensitive information. This is another example of an attribute-based access control system, where the attribute used in the access decision is an attribute of the device being used, rather than the user’s identity.

Rule-based access control (RuBAC) systems operate in a manner quite similar to MAC systems. The system administrator defines a set of rules for a system, service, or device, and then that set of rules determines future access.

The most common example of rule-based access control is a network firewall. Firewall administrators create a set of rules that describe the types of network traffic that are allowed to pass through the firewall. These rules may be based on source and destination Internet Protocol (IP) address, network protocol, network port, time of day, user identity, and many other attributes of the connection. When the rules used in RuBAC incorporate attributes of the user into those rules, the system may be considered both RuBAC and ABAC.

Risk-adaptive access control (RAdAC) systems take a more sophisticated approach to security decisions by incorporating information about both the security risk of an access control decision and the operational need for action into the risk determination process. Traditional access control systems simply grant or deny access based on the defined access control policies. Risk-adaptive approaches take additional information into account, as shown in FIGURE 5-1.

Authentication, with regard to a subject, is validating the subject’s claim of identity. There are multiple ways in which subjects can prove themselves.

Ensuring the authenticity of the subject can be determined by three factors. The more factors a subject can provide, the more trust one can put in that subject:

• Something you know—An item that the subject is aware of or has knowledge of
• Something you have—An item that the subject has possession of
• Something you are—A characteristic of the subject

Something You Have

In addition to something you know, something you have can help identify you and/or prove your claim of identity. This identifier can be an automated teller machine (ATM) card, a token, a driver’s license, or a passport—anything that supports your identity claim simply because you have it. These forms of authentication do not require you to remember a password, but they are something you must have in your possession to authenticate. Consider an example where you visit a bank and request the withdrawal of funds. You can’t simply walk up to the teller and say “I’m Bob, please give me $500.” (Wouldn’t that be nice?) The teller will certainly ask you to prove your claim of identity. You’d most likely satisfy this request by showing her your driver’s license. The license contains your name and picture, and the teller uses it to authenticate you before giving you cash.

A token is a physical or software device that can be used instead of a password or in conjunction with a password or PIN. Tokens come in many forms, such as a card with a screen and/or a keypad. There are two varieties of token devices:

• Synchronous tokens—Use time or a counter as a means of authentication
• Asynchronous tokens—Use a challenge and response as a means of authentication

Smart card. A smart card is a card that is the same size as a credit card and has a computer chip embedded in it. The computer chip holds data pertaining to the owner of the card and is used in various transactions through a smart card reader. Smart cards are also referred to as integrated circuit cards (ICCs). Smart cards are considered reliable because the information stored within the card cannot be easily accessed if the card is lost or stolen, but it can be used by other subjects if additional forms of verification are not required.

There are two primary types of smart cards:

• Contact smart card—This type of card must be inserted into a smart card reader to gain authentication or access for the subject.
• Contactless smart card—This type of card is often used for access into facilities. Instead of having to insert the card into a reader, the subject waves the card in front of the reader to verify his or her access credentials. The subject receives access or is denied access to the location. Contactless cards are also known as proximity cards or “prox” cards.

Time-variable token. A time-variable token is a synchronous token in the form of a one-time password. It is a dynamic password in that it can be used only once. After a single use, it is no longer valid. A time-variable token is valid for a specific period of time, such as 60 seconds. When authentication is based on time, the token (hardware or software) time must be synchronized with an authentication server. The time and the seed record are the main components. The seed record is the symmetric encryption key, which is shared between the token and the authentication server. This seed record encrypts the clock time; the result is a one-time password. The same seed record is used for both the token and the authentication server. Because the authentication server knows that this token is the only other device with that seed record, it knows that the token code entered comes from the person holding this particular token.

FYI

A Common Access Card (CAC) was implemented under Homeland Security Presidential Directive 12 (HSPD-12). It is used by the DoD for authentication and access to federal facilities and computer systems. This card holds information regarding the user such as his or her identity, clearance level, and physical and logical access capabilities. In 1987, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) implemented ISO/IEC 7816 for ICC with contacts, such as smart cards.

Challenge-response device. A challenge-response device is an asynchronous token. Authentication occurs via communication with the token device, the authentication server, and the user. A request is sent to the authentication server and a challenge (a random set of numbers) is returned. The user enters this challenge into the token, the token encrypts it, and another value is returned. The user then uses this end value as the password. Once the authentication server receives this end value, it decrypts it. If the end value matches the challenge, the user is authenticated. This exchange between the user, authentication server, and token device is shown in FIGURE 5-2.

The most significant weakness in “something you have” authentication is that a possession-based authentication factor may be lost or stolen.

Now that you understand the various methods of authentication, it is important to understand how they can work together to create a more secure environment and thwart identity theft. Understanding what the user is trying to access and the risk associated with a loss of the data determines what methods or combination of methods should be used.

The process for Kerberos authentication involves three primary steps: client authentication, client service authorization, and client service requests. It is important to understand the entire process because Kerberos authentication proves an identity across an unsecure network connection.

The following steps are performed during client authentication:

1. The user enters a user ID and password into the client.
2. The client performs a hash on the password, creating a secret key for itself and for the user.
3. The client sends a message of the user ID to the authentication server (AS) and requests services. This message is sent as cleartext—unencrypted. The AS performs a hash on the password of the user ID in its database. This creates a secret key.
4. The AS responds with two messages if the user is successfully authenticated. The two messages are:
   • A Ticket-Granting Ticket (TGT) for the server that has been encrypted using the secret key of the Ticket Granting Service (TGS)
   • A client/TGS session key, which is a temporary key encrypted using the secret key of the client/user
5. The client receives the two messages. After decrypting the client/TGS session key, the client uses the session key when communicating with the TGS in the future.

The following steps are performed during client service authorization:

1. The client sends two messages to the TGS when requesting services:
   • The TGT and the ID of the requesting service
   • An authenticator encrypted by the client/TGS session key
2. When the two messages are received, the TGS decrypts the TGT with the TGS secret key. This results in the client/TGS session key. The TGS decrypts the authenticator and sends two messages to the client:
   • A client-to-server ticket, which is encrypted with the service’s secret key. The client-to-server ticket includes the client ID, client network address, validity period, and client/server session key.
   • A client/server session key, which is encrypted with the client/TGS session key.

When a client requests a service, the following steps are taken:

1. The client connects to the service server and sends the following two messages:
   • A client-to-server ticket encrypted using the service’s secret key
   • A new authenticator encrypted using the client/server session key; the new authenticator has the client ID and timestamp
2. The service server decrypts the ticket with its own secret key to retrieve the client/server session key. With the session keys, the service server decrypts the authenticator and sends a message to the client to confirm its identity and willingness to serve the client. The message includes the timestamp from the client’s authenticator, which is encrypted using the client/server session key.
3. The client decrypts the confirmation message using the client/server session key and checks to see if the timestamp is updated correctly. If so, the client can trust the server and starts issuing service requests to the server.
4. The service server provides services to the client.

The Kerberos authentication, authorization, and service request processes are shown in FIGURE 5-3.

Kerberos performs authentication as a trusted third-party authentication service via a shared secret key (symmetric key). When a client wants to obtain authentication credentials for a server that it does not have credentials for, the exchange between the authentication server and the client is initiated by the client. The client’s secret key is used for encryption and decryption. This exchange obtains credentials for a TGS, which will also be used for obtaining subsequent credentials.

One of the primary reasons for implementing Kerberos is that without it, the principals do not trust one another. Principals can be applications, users, or network services. The principals trust only the Key Distribution Center (KDC), which is why the KDC creates tickets for the communication among the principals. Communication among principals is vouched for by the KDC, and the KDC ensures that it is acceptable for the principals to talk to one another.

The KDC acts as a trusted third party. The purpose of a KDC is to provide a secure environment for distributing keys. It provides tickets and temporary session keys for both initial tickets and ticket-granting requests and acts as both an authentication service and a ticket-granting service.

Because Kerberos is formed on symmetric encryption and shared secret keys, the database for all of the secret keys for the principals on the network is maintained by the KDC. As an authentication server, it authenticates a principal via a pre-exchanged secret key. After the authentication occurs, the KDC acts as a TGS. As a TGS, it provides a ticket to a principal establishing a trusted relationship among other principals. The principals trust the integrity of the KDC, which is an essential part of Kerberos security.

Principals are preregistered with a secret key in the KDS through a system registration process. A set of these principals is called a “realm,” and the realm is used to administer logical group resources and users. When added to the Kerberos realm, the principal is given a realm key used for initial trusted communications. Once a principal becomes a member of a Kerberos realm, the principal can then be authenticated by the authentication server.

Tickets are generated by the KDC and provided to the principal when authentication is needed. For example, when Kevin needs to access a specific file share, a request is made to the KDC. The KDC, in return, provides the TGT and client/TGS session key. Kevin will use the TGT for authorization to the file share.

As a whole, Kerberos is a very secure protocol. However, all protocols have weaknesses. It is important to note that any weaknesses with Kerberos are based on the concepts within the protocol and not the underlying cryptography.

Like any authentication system, Kerberos can have weaknesses if improperly implemented. Security administrators should be aware of these potential weaknesses, which include:

• Brute-force attacks—The system is susceptible to brute-force attacks. Brute-force attackers simply repeatedly guess an account’s password until they are successful. They typically start with a list of dictionary words and move on to try combinations and variations of dictionary words. If a user has a weak password, especially one that consists of dictionary words, it may be easily discovered.
• Key storage—All keys must be stored securely for the user and server. If this is not done correctly and an attacker gains access to the keys, the entire system could be compromised.
• Kerberos tickets are cached on a user’s computer system—If an attacker were to obtain access to these tickets, he or she could impersonate that user on the network.
• Clocks must be synchronized to complete authentication—There is a time availability period, and if the times are more than 5 minutes apart, authentication will not occur.
• Central server continuous availability requirement—Authorization on a network is an occurrence that happens multiple times for principals. Loss of time can be costly to enterprises. Organizations must design networks so that the Kerberos components are always available to users and authentication is never compromised.
• Requirement for host synchronization—Ensuring that servers are available at all times requires the servers to have the same information. Synchronizing information between multiple servers and sites will minimize any downtime that occurs when a server or site goes offline.
• Potential single point of failure—The KDC is a single point of failure in the communication line. If the KDC were to go down, users would no longer be able to authenticate to any systems on the network. Loss of the KDC has a critical impact to the enterprise, and a business continuity plan needs to be designed around it. Part of this plan should include multiple KDC systems sharing information so that end-user access and productivity is never diminished.

Many organizations use Kerberos daily for employee authentication and access to resources. Consider this example of appropriate use of Kerberos in the business environment, featuring Kevin.

Kevin logs on daily to the corporate network with his computer system. He provides a username and password. When Kevin logs on, his user ID is sent to the authentication server on the KDC. A TGT is provided to Kevin, and it is encrypted with Kevin’s password (secret key). If it is the correct password, the TGT will be decrypted and access is granted to the computer system. The secret key will reside temporarily on the computer system.

Later in the day, Kevin needs to print some documents for his meeting. Kevin’s system sends the TGT to the TGS on the KDC. The TGS creates a client/server session key and provides it to Kevin’s system, which he uses to authenticate to the print server. This second ticket contains the session key that is encrypted by Kevin’s secret key and another session key that is encrypted by the print server’s secret key. This second ticket also contains a timestamp and the computer system’s IP address. These components added to the second ticket are the authenticator.

Kevin’s system receives the second ticket, decrypts it with his secret key, and removes the session key. Kevin’s system also adds a second authenticator and sends the ticket to the print server. The print server receives the second ticket and decrypts it with its secret key and removes the session key and the two authenticators. If the print server is able to decrypt the session key, it knows to trust Kevin’s system because it knows the KDC created the ticket.

Remember that only the KDC has the key to encrypt the session key. Also, if the authenticators from the KDC and Kevin’s computer system match, it knows the request was sent for the correct principal.

The beauty of Kerberos is that Kevin does not even need to be aware that any of this is taking place. It is the responsibility of Kerberos and the operating system to handle all of these ticket requests. Kevin merely needs to provide the correct username and password for his account.