RoSI Lecture: Roles, Privacy, and Security. Thorsten Strufe. Disclaimer: parts from Elke Franz, Stefan Köpsell, Daniel Puscher. Dresden, 2015/2/10

Description
RoSI Lecture: Roles, Privacy, and Security Thorsten Strufe Disclaimer: parts from Elke Franz, Stefan Köpsell, Daniel Puscher Dresden, 2015/2/10 Outline Trends around us Some foundations of security Some

Please download to get full document.

View again

of 60
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information
Category:

Creative Writing

Publish on:

Views: 27 | Pages: 60

Extension: PDF | Download: 0

Share
Transcript
RoSI Lecture: Roles, Privacy, and Security Thorsten Strufe Disclaimer: parts from Elke Franz, Stefan Köpsell, Daniel Puscher Dresden, 2015/2/10 Outline Trends around us Some foundations of security Some basic definitions Identifying individuals Applying the role idea to control access A step further: exploiting the role idea to facilitate authorization Privacy and Security Folie Nr. 2 Trends around us From analog to digital. Privacy and Security Folie Nr. 3 From occasional to pervasive. Privacy and Security Folie Nr. 4 A little terminology: What is a Threat? Abstract Definition: A threat is any possible event or sequence of actions that might lead to a violation of one or more security goals The actual realization of a threat is called an attack Examples: A hacker breaking into a corporate computer Disclosure of s in transit Someone changing financial accounting data A hacker temporarily shutting down a website Someone using services or ordering goods in the name of others... But what are security goals? Security goals can be defined: depending on the application environment, or in a more general, technical way Privacy and Security Folie Nr. 5 Security Goals in Application Environments Public Telecommunication Providers: Protect subscribers privacy Restrict access to administrative functions to authorized personnel Protect against service interruptions Corporate / Private Networks: Protect corporate confidentiality / individual privacy Ensure message authenticity Protect against service interruptions All Networks: Prevent outside penetrations (who wants hackers?) Security goals are also called security objectives Privacy and Security Folie Nr. 6 Security Goals Technically Defined (CIA) Confidentiality: Data transmitted or stored should only be revealed to the intended audience Confidentiality of identity (s.t. also other data) is also referred to as privacy (Data) Integrity: It should be possible to detect any modification of data This requires to be able to identify the creator of some data Availability: Services should be available and function correctly Accountability: It should be possible to identify the entity responsible for any communication event Controlled Access: Only authorized entities should be able to access certain services or information Several other models have been proposed, anything beyond CIA is constantly subject to arguments and discussions Privacy and Security Folie Nr. 7 Threats Technically Defined Masquerade: An entity claims to be another entity Disclosure of confidential information (eavesdropping): An entity reads information it is not intended to read Authorization violation: An entity uses a service or resources it is not intended to use Loss or Modification of (transmitted) information: Data is being altered or destroyed Denial of Communication Acts (Repudiation): An entity falsely denies its participation in a communication act Forgery of information: An entity creates new information in the name of another entity Blackout (Denial of Service, Sabotage): Any action that aims to reduce the availability and / or correct functioning of services or systems Privacy and Security Folie Nr. 8 A little more Terminology Security Service: An abstract service seeking to ensure a specific security property Can be realised with the help of cryptographic algorithms and protocols or with conventional means: Keep electronic document on a floppy disk confidential by storing it on the disk in an encrypted format or locking away the disk in a safe Usually a combination of cryptographic and other means is most effective Cryptographic Algorithm: A mathematical transformation of input data (e.g. data, key) to output data Cryptographic algorithms are used in cryptographic protocols Cryptographic Protocol: A series of steps and message exchanges between multiple entities in order to achieve a specific security objective Privacy and Security Folie Nr. 9 Security Services Overview Authentication Ensure that an entity has in fact the identity it claims to have Privacy and Security Folie Nr. 10 Entity Authentication Who s Brian of Nazareth? We have an order for him to be released. Terry Jones, et al.: Life of Brian (1979) Privacy and Security Folie Nr. 11 Security Services Overview Authentication Ensure that an entity has in fact the identity it claims to have Integrity Ensure that data created by specific entity is not modified without detection Privacy and Security Folie Nr. 12 Security Services Overview Authentication Ensure that an entity has in fact the identity it claims to have Integrity Ensure that data created by specific entity is not modified without detection Confidentiality Ensure the secrecy of protected data Privacy and Security Folie Nr. 13 Security Services Overview Authentication Ensure that an entity has in fact the identity it claims to have Integrity Ensure that data created by specific entity is not modified without detection Confidentiality Access Control Ensure the secrecy of protected data partikelchen.de Ensure that each entity accesses only services and information it is entitled to Privacy and Security Folie Nr. 14 Security Services Overview Authentication Ensure that an entity has in fact the identity it claims to have Integrity Ensure that data created by specific entity is not modified without detection Confidentiality Ensure the secrecy of protected data Access Control Ensure that each entity accesses only services and information it is entitled to Non Repudiation Prevent entities participating in a communication exchange from later falsely denying that the exchange occurred Privacy and Security Folie Nr. 15 Security Services Overview Authentication Ensure that an entity has in fact the identity it claims to have Integrity Ensure that data created by specific entity is not modified without detection Confidentiality Ensure the secrecy of protected data Access Control Ensure that each entity accesses only services and information it is entitled to Non Repudiation Prevent entities participating in a communication exchange from later falsely denying that the exchange occurred Privacy and Security Folie Nr. 16 Introducing some Actors of the Play For clarity it s good to have some model Mallory : message Alice Bob Eve Privacy and Security Folie Nr. 17 Variations of the Play File Craig Alice HDD Trudy Bob Terrorist Alice Dan Carol Honest but curious Privacy and Security Folie Nr. 18 Potential Attackers and an Adversary Model A word on assumptions. Assume an adversary who can t break anything. Assume an omnipotent adversary. She could: access all information of interest modify data unnoticed physically destroy the system (or parts thereof) Could we deal with this? Unfortunately, no: Nothing can protect from an omnipotent adversary. More realistic (specific!) model of adversaries needed. Privacy and Security Folie Nr. 19 On Eve, Mallory, Craig, and Trudy An adversary model needs to define The intention of the adversary Break and/or access something The behavior Passive or active? The capabilities of an attacker Computational capacity Resources (time and money) The area of control Insider or outsider? Local, regional, or global? Privacy and Security Folie Nr. 20 Eve and Mallory Some common assumptions Area of attack Trusted domain Trusted domain Generally: Adversary limited: Limited access Attack has to be efficient Trusted domain Man in the middle Trusted domain Privacy and Security Folie Nr. 21 Dolev - Yao Model Mallory has full control over the communication channel Intercept/eavesdrop on messages (passive) Relay messages Suppress message delivery Replay messages Manipulate messages Exchange messages Forge messages But: Mallory can t break (secure) cryptographic primitives! Privacy and Security Folie Nr. 22 Security Services and Roles Access Control Somewhat of a recapitulation of what Stefan Weber told you Privacy and Security Folie Nr. 23 Physical access control Objects vs. Subjects Subjects have controlled access to objects Prevents information disclosure Prevents tampering Requires some gatekeeper: Identification of subjects (Authentication, l8r ) Explicit instructions (Policy, policy descriptions , authorization) Controlling (and granting) access Privacy and Security Folie Nr. 24 Some Terminology Def: Access control comprises mechanisms to enforce mediation on subject requests for access to objects as defined in a security policy. Def: A subject is an active entity that can initiate a request for resources and utilize these resources to complete some task Def: An object is a resource that is used to store, access, or process information Def: An operation (action) is an instance of access, commonly a utilization, retrieval, or manipulation event, of a subject on an object Objects historically had the notion of files, or repositories Subjects commonly processes (local or remote) Operations historically: r,w,x Privacy and Security Folie Nr. 25 Common Concept of Access Control Reference monitor is a concept to detail decision process: Rights/Policy Subject Request Reference monitor granted Object Access Control denied RM not necessarily a physical/logical component in the system AC/RM may be implemented on different levels: Online application: control access to functions/data Databases: control access to tables, columns OS: control access to resources (files, devices) Privacy and Security Folie Nr. 26 IBAC: Access Control Matrix Task: Configuration of authorizations (rights of subjects on objects) S r O Subject? Operation Object Define: Set of objects O, set of subjects S, set of rights R (e.g. rwx ) Access Control Matrix defines mapping M : S x O 2 R (e.g.: {true,false}) Advantages of ACM: Intuitive, flexible Easy to implement Disadvantages of ACM: Huge, sparse static s1 s2 s3 o1 { read, write } o2 { owner, execute } o3 { read, write } o4 { send, receive} { signal } o5 { send, receive } Privacy and Security Folie Nr. 27 Access Control Description Schemes Access Control Lists (ACLs) Columns of the ACM: list of authorizations on an object ACL(o1) = {(s1,{r,w}), (s2,{r}); ACL(o2) = {(s3,{r,w,x}); (*NIX: subjects only identified as owner, group, others) -r-x--xrwx 1 thorsten www-data Assessing authorizations to an object is simple 0 Jan 13 10:14 Super-Secret-Document-YEO Assessing authorizations granted to a subject is difficult Capabilities Rows of ACM: list of objects and rights granted to a subject CL(s3) = {(o2,{o,x}), (o4,{s,r}); Advantages/disadvantages inverse to ACLs Privacy and Security Folie Nr. 28 From IBAC to RBAC Complexity of IBAC yields problems of overview and adaptation Subjects usually act in roles (specificly in organizations) Introduce indirection of the role abstraction: Dr. Brains physician Read patient information Dr. Bones Write diagnosis Nurse Kathy nurse Read prescriptions Carer Tuck Write blood values User Role - Relation Role Right - Relation Privacy and Security Folie Nr. 29 Role-based Access Control Extend IBAC: Set of subjects S Set of roles R Set of objects O Set of permissions P Subject Define mappings sr: S 2 R ; pr: R 2 P S R? Operation O Object Sessions are dynamic role assignments (a subject is active in a role) Subject is assigned permissions from role for the session accordingly Role hierarchies and constraints extend RBAC Privacy and Security Folie Nr. 30 Security Services and Roles Authentication Privacy and Security Folie Nr. 31 Identifying Humans & Entity Authentication Goal: Identify a subject (user or process!) and verify identity Classes of authentication: User authentication (login) Computer network authentication (identity management) Identity verification service Authentication cardinality: One-way authentication Computer authenticates user ATM authenticates cardholder Browser authenticates Web server Two-way (mutual) authentication epass -- reader UMTS cellphone -- network Online bank -- account holder (w/ certificates) Privacy and Security Folie Nr. 32 Authentication Factors Different factors can be used to authenticate a user Knowledge factors Passwords Answers to security questions Possession factors Security token Smart card Keys/certificates Inherence factors Biometric factors Signature Sometimes: other properties (e.g. location) Privacy and Security Folie Nr. 33 Entity Authentication Factor verification: direct (Alice vs. Bob) or mediated by an arbiter ( TTP, Kerberos, Shibboleth) Basic requirements: Strength of secret determined by its entropy (passwords, biometry) Provision and management: factors must remain secret (impersonation), be adjustable, possibility for revocation Monitoring, detection and reaction of/to malicious authentication attempts Multi-factor authentication: Combines different factors (examples?) ATM card (possession) and PIN (knowledge) Password (knowledge) and mobiletan (possession of cell phone) Requires independence of factors Increases security only as much as weakest factor (security question?) (not to confuse with fall-back authentication as secure as weakest factor ) Privacy and Security Folie Nr. 34 Privacy and Security Folie Nr. 35 A few words about Privacy European Convention on Human Rights, Article 8 Right to respect for private and family life Everyone has the right to respect for his private and family life, his home and his correspondence. Data Protection All means to prevent unwanted distribution and processing of personal data (and the consequences thereof) More precisely: Protection of the privacy of individuals (and instutions) Protection of data and protection from data Datensicherheit (EF) Privacy and Security Folie Nr. 36 Models: Privacy Spheres Spheres with different protection requirements Commonly denoted as concentric circles Intimacy Private sphere Public Information about a person Assignment of data to corresponding sphere Potentially depends on context Datensicherheit (EF) Privacy and Security Folie Nr. 37 Models: Mosaic Partitions of information on individuals Possibility to collect and link parts allows to create accurate profile Considers data from public or less protected spheres (combination!) Still difficult to assess which combinations are critical Does not only consider collection, but processing as well Datensicherheit (EF) Privacy and Security Folie Nr. 38 Models: Roles Individuals act in a role Only partial information necessary for each of the roles No partitioning, but assessment of how sensitive each attribute is, vs. the necessity for tasks of the role: Create partial identities Family Physician Employer Health insurance Ensure separation of partial identities However: control over sharing and processing is difficult (public agencies may collude ). Datensicherheit (EF) Privacy and Security Folie Nr. 39 Conflict of basic security objectives: Privacy: concealment of identities Authentication: verification of peer identity A bit more terminology (sorry for that! ) Privacy and Security Folie Nr. 40 Identities and Roles Identity: An identity is any subset of attributes of an individual which identifies this individual within any set of individuals (better: An identity is any subset of attributes of an individual which distinguishes this individual from all other individuals within any set of individuals) A partial identity is a subset of attributes (data) of a complete identity, where a complete identity is the union of all attributes of all identities of this person. A role is a set of connected actions of actors in situations (i.e., situation-dependent identity attributes and properties). It is mostly defined as an expected behavior (i.e., sequences of actions) in a given individual context. All definitions cf. Pfitzmann/Hansen Privacy and Security Folie Nr. 41 Identification of Entities (Nyms) Known individuals are identified by their descriptive attributes, or, in short by names, identifiers, references. Entire removal of identifiers (for atomic transactions): Anonymous (Greek: anonymos): An: negation -onym: named Partial identities may need recurring IDs for sessions, dialogs: Pseudonyms (Greek: pseudonymon): Pseudo: false / pretense -onym: named Privacy and Security Folie Nr. 42 Pseudonyms person pseudonyms role pseudonyms public person pseudonym non-public person pseudonym anonymousperson pseudonym businessrelationship pseudonym transaction pseudonym phone number account number biometric, DNA (as long as no register) pen name one-time password Protection A n o n y m i t y Privacy and Security Folie Nr. 43 Pseudonyms: Initial linking to holder Public pseudonym: The linking between pseudonym and its holder may be publicly known from the very beginning. Phone number with its owner listed in public directories Initially non-public pseudonym: The linking between pseudonym and its holder may be known by certain parties (trustees for identity), but is not public at least initially. Passport number, bank account with bank as trustee for identity, Credit card number... Initially unlinked pseudonym: The linking between pseudonym and its holder is at least initially not known to anybody (except the holder). Biometric characteristics; DNA (as long as no registers) Privacy and Security Folie Nr. 44 Pseudonyms: Use across different contexts = partial order number of an identity card, social security number, bank account pen name, employee identity card number customer number contract number one-time password, TAN, one-time use public-key pair A B stands for B enables stronger unlinkability than A Privacy and Security Folie Nr. 45 One step further Online Services Privacy and Security Folie Nr. 46 Different Modes of Use Role: Professional ID Role: I have Private something to say that I need to share! IP Role: Friends, Family nick Provider login Subscribers Role: Customers/Colleagues Privacy and Security Folie Nr. 47 So how do people use (facebook) today? Some very preliminary results Privacy and Security Folie Nr. 48 Facebook Privacy Watcher/Analyser Long-term study on sharing and browsing behavior Implementation of two browser extensions Facebook Privacy Watcher Facebook Privacy Analyzer Recruitment and data collection Privacy and Security Folie Nr. 49 Browser Extensions Privacy and Security Folie Nr. 50 Anzahl Tage Range of FPA data Benutzer Actions Contact lists Activity logs Notifications Privacy and Security Folie Nr. 51 Range of FPW data Collection of properties of user with feedback (opt-in): Cache: Filled: Privacy settings (Public, Friends, Only Me, Custom) for each field in profile (Hometown, Birthday, Movies,...) Contains information about whether a field in profile is filled or not Photo Albums:Privacy settings for all photo albums Notes: Privacy settings for notes Privacy and Security Folie Nr. 52 Feedback data from FPW Initial settings: The settings that were set when the addon was started the first time Statistics: Timeline: Recorded all privacy changes made by the user Contains all timeline entries containing their privacy setting, type of entry (status update, photo,...) and time when it was posted Security settings: Tracks how security settings on Facebook are used (Safe browsing, login norification,...) Other data: Country of user & Stats about profile size Privacy and Security Folie Nr. 53 Distribution of Profile Views Privacy and Security Folie Nr. 54 Privacy Settings on the Profile Privacy and Security Folie Nr. 55 Von Changes to Privacy Settings Öffentlich 26.8% 4.4% 1.5% Freunde 22.6% 8.9% 4.7% Nur ich 2.5% 4.8% 1.6% Benutzerdefiniert 9.3% 10.1% 2.7% Öffentlich Freunde Nur ich Benutzerdefiniert Nach Privacy and Security Folie Nr. 56 Evolution of Behavior Privacy and Security Folie Nr. 57 Evolution of Privacy Settings n = 343 n = 1904 n = 6665 n = n = n = n = Öffentlich Freunde von Freunden Freunde Benutzerdefiniert Nur ich Privacy and Security Folie Nr. 58 Evolution of Privacy Settings Privacy and Security Folie Nr. 59 Summary A) Individuals and their roles are a vital subject for security B) Access is controlled, after authorization of
Related Search
Similar documents
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks