CS 771/871 Operating Systems
[ Home | Class
Roster | Syllabus | Status | Glossary | Search
| Course Notes]
Some Issues in Security
- User Authentication
- Resources Authentication
- Access Rights (at the cross
product of users and resources)
- Unauthorized access
- Misinformation
- Denial of Service (Many
Viruses)
- Encryption
- Physical Security
- Firewalls
Topics Chosen by You
-
-
William Bunting:
-
Dave Cavitt
-
-
Agustin Gonzalez:
-
-
-
-
-
-
Jian Zhao:
Access Matrix Model
Due to Lampson
- Capability Model: efficient
(segmented memory is a kind of)
- Copy Protection
- Review (who has
access)
- Revocation of rights
- garbage collection
- Access Control List (Unix File
Protection is a kind of)
- Lock/Key
Security Levels for Information Flow
- Lattice Model
- defined by partial
order with
- least upper bound
- greatest lower bound
- Military Security:
classification plus need to know
- unclassified
- confidential
- secret
- top secret
Encryption
- Private Key (DES)
- Public Key
Can use for signing a message.
Authentication
Use Authentication Server AS
- Each User X registers a secret
key KX with AS
- A sends message (A,B,Ia) to
AS, where B is the process to communicate with and Ia
is a unique number generated by A).
- AS sends back to A a message
Eka(Ia,B,CK,Ekb(CK,A)), where
- CK is a conversation
key generated by AS
- Ekb means message
encrypted by B's secret key
entire message encrypted by A's secret key
- A sends Ekb(CK,A) to B, which
only B can read, now both A and B know the
conversation key CK
- Now secure communications can
take place between A and B
Problem: what is intruder plays
back a old message from A to B to confuse B. I could verify
by sending A a nonce identifier Ib encrypted by CK and have A
send back Ib-1.
Security of Security
- If one can change the access
matrix, security is compromised
Access to the security matrix must be secure. How
- Secret and private keys must
be kept secure
- Coercion: Forcing person to
reveal key
- Protecting against Spys and
expionage
- Learning by patterns of
information flow: Domino Pizza deliveries to Pentagon
at times military crisis.
internal spys can exploit patterns to encode
information
- Biometrics: fingerprint,
voice, DNA, brain waves, signature
Location Authentication Protocol
More information can be found
here.
Location-based System Delivers User Authentication
Breakthrough
by Dorothy E. Denning and Peter F.
MacDoran
Copyright(c), 1996 - Computer Security Institute - All Rights
Reserved
Existing user authentication mechanisms are based on
information the user
knows (e.g., password or PIN), possession of a device (e.g,
access token
or crypto- card), or information derived from a personal
characteristic
(biometrics). None of these methods are foolproof. Passwords
and PINs are
often vulnerable to guessing, interception or brute force
search. Devices
can be stolen. Biometrics can be vulnerable to interception
and replay.
A new approach to authentication utilizes space geodetic
methods to
form a
time-dependent location signature that is virtually
impossible to forge.
The signature is used to determine the location (latitude,
longitude and
height) of a user attempting to access a system, and to
reject access if
the site is not approved for that user. With location-based
controls, a
hacker in Russia would be unableto log into a funds transfer
system
in the
United States while pretending to come from a bank in
Argentina.
Location-based authentication can be used to control access
to sensitive
systems, transactions or information. It would be a strong
deterrent to
many potential intruders, who now hide behind the anonymity
afforded by
their remote locations and fraudulent use of conventional
authentication
methods. If the fraudulent actors were required to reveal
their
location in
order to gain access, their anonymity would be significantly
eroded and
their chances of getting caught would increase.
Authentication through geodetic location has other benefits.
It can be
continuous, thereby protecting against channel hijacking. It
can be
transparent to the user. Unlike most other types of
authentication
information, a user's location can serve as a common
authenticator
for all
systems the user accesses. These features make location-based
authentication a good technique to use in conjunction with
single log-on.
Another benefit is there is no secret information to protect
either
at the
host or user end. If a user's authentication device is
stolen, use of the
device will not compromise the system but only reveal the
thief's
location.
A further benefit of geodetic-derived location signatures is
that they
provide a mechanism for implementing an electronic notary
function. The
notary could attach a location signature to a document as
proof that the
document existed at a
particular location and instant in time.
The use of geographic location can supplement or complement
other methods
of authentication, which are still useful when users at the
same
site have
separate accounts and privileges. Its added value is a high
level of
assurance against intrusion from any unapproved location
regardless of
whether the other methods have been compromised. In critical
environments,
for example, military command and control, telephone
switching, air
traffic
control, and banking, this extra assurance could be extremely
important in
order to avoid a potential catastrophe with reverberations
far beyond the
individual system cracked.
How it works
International Series Research (Boulder, CO) has developed a
technology for
achieving location-based authentication. Called CyberLocator,
the
technology makes use of the microwave signals transmitted by
the
twenty-four satellite constellation of the Global Positioning
System
(GPS). Because the signals are everywhere unique and
constantly changing
with the orbital motion of the satellites, they can be used
to create a
location signature that is unique to a particular place and
time. The
signature, which is computed by a special GPS sensor
connected to a small
antenna, is formed from bandwidth compressed raw observations
of all the
GPS satellites in view. As currently implemented, the
location signature
changes every five milliseconds. However, there are options
to create a
new signature every few microseconds.
When attempting to gain access to a host server, the remote
client is
challenged to supply its current location signature. The
signature
is then
configured into packets and transferred to the host. The
host, which is
also equipped with a GPS sensor, processes the client
signature and
its own
simultaneously acquired satellite signals to verify the
client's location
to within an acceptable threshold (a few meters to
centimeters, if
required).
For two-way authentication, the reverse process would be
performed.
In the
current implementation, location signatures are 20,000 bytes.
For
continuous authentication, an additional 20 bytes per second
are
transferred. Re- authorization can be performed every few
seconds or
longer. The location signature is virtually impossible to
forge at the
required accuracy. This is because the GPS observations at
any given time
are essentially unpredictable to high precision due to subtle
satellite
orbit perturbations, which are unknowable in real-time, and
intentional
signal instabilities (dithering) imposed by the U.S.
Department of
Defense
selective availability (SA) security policy. Further, because
a signature
is invalid after five milliseconds, the attacker cannot spoof
the
location
by replaying an intercepted signature, particularly when it
is
bound to the
message (e.g., through a checksum or digital signature).
Continuous
authentication provides further protection against such
attacks.
Conventional (code correlating and differential) GPS
receivers are not
suitable for location authentication because they compute
latitude,
longitude and height directly from the GPS signals. Thus,
anyone
can report
an arbitrary set of coordinates and there is no way of
knowing if the
coordinates were actually calculated by a GPS receiver at
that
location. A
hacker could intercept the coordinates transmitted by a
legitimate
user and
then replay those coordinates in order to gain entry. Typical
code
correlating receivers, available to civilian users, are also
limited to 100
meter accuracy. The CyberLocator sensors achieve meter (or
better)
accuracy
by employing differential GPS techniques at the host, which
has access to
its own GPS signals as well as those of the client. DGPS
methods
attenuate
the satellite orbit errors and cancel SA dithering effects.
Where it works
Location-based authentication is ideal for protecting fixed
sites. If a
company operates separate facilities, it could be used to
restrict access
or sensitive transactions to clients located at those sites.
For
example, a
small (7 cm x 7 cm) GPS antenna might be placed on the
rooftop of each
facility and connected by cable to a location signature
sensor within the
building. The sensor, which would be connected to the site's
local area
network, would authenticate the location of all users
attempting to enter
the protected network. Whenever a user ventured outside the
network, the
sensor would supply the site's location signature.
Alternatively, rather
than using a single sensor, each user could be given a
separate device,
programmed to provide a unique signature for that user.
Location-based
authentication could facilitate telecommuting by countering
the
vulnerabilities associated with remote access over dial-in
lines and
Internet connections. All that would be needed is a
reasonably
unobstructed view of the sky at the employee's home or remote
office.
Related application environments include home banking, remote
medical
diagnosis and remote process control. Although it is
desirable for an
antenna to be positioned with full view of the sky, this is
not always
necessary. If the location and environment are known in
advance, then the
antenna can be placed on a window with only a limited view of
the
sky. The
environment would be taken into account when the signals are
processed at
the host.
For remote authentication to succeed, the client and host
must be within
2,000 to 3,000 kilometers of each other so that their GPS
sensors pick up
signals from some of the same satellites. By utilizing a few
regionally
deployed location signature sensors (LSS), this reach can be
extended to a
global basis. For example, suppose that a bank in Munich
needs to
conduct a
transaction with a bank in New York and that a London-based
LSS
provides a
bridge into Europe. Upon receiving the location signatures
from
London and
Munich, the New York bank can verify the location of the
Munich bank
relative to the London LSS and the London LSS relative to its
own
location
in New
York.
The technology is also applicable to mobile computing. In
many
situations,
it would be possible to know the general vicinity where an
employee is
expected to be present and to use that information as a basis
for
authentication. Even if the location cannot be known in
advance, the mere
fact that remote users make their locations available will
substantially
enhance their authenticity. In his new book, The Road Ahead,
Bill Gates
predicts that wallet PCs, networked to the information
highway, will have
built-in GPS receivers as navigational assistants. With the
CyberLocator
technology, these PC receivers can also perform
authentication
while being
a factor of ten less expensive than conventional code
correlating
receivers
(most of the processing is executed in the host rather than
the remote units), which only achieve 100 meter accuracy, and
a
factor of a
hundred less expensive than conventional DGPS receivers.
Location-based
authentication is a powerful new tool that can provide a new
dimension of
network security never before possible. The CyberLocator
technology is
currently operational in a portable demonstration.
Dorothy E. Denning is professor of computer science at
Georgetown
University (Washington, D.C.) and consultant to ISR. She can
be
reached at
202-687-5703 or denning@cs.georgetown.edu. Peter F. MacDoran
is president
and CEO of International Series Research, Inc. (Boulder, CO).
He can be
reached at 303-447- 0300 or pmacdorn@isrinc.com.
Copyright chris wild 1996.
For problems or questions regarding this web contact [Dr. Wild].
Last updated: November 05, 1996.