Unit 4

Access Control

Reference: Chapter 4 Access Control, Computer Security Principles

and Practise, William Stallings and Larry Brown
Introduction: Access Control
• Access control is a security technique that regulates who or what can view or use
resources in a computing environment.
• It is a fundamental concept in security that minimizes risk to the business or
organization.
• The term ‘access control’ refers to “the control of access to system resources
after a user’s account credentials and identity have been authenticated and
access to the system has been granted.”
• Access control is used to identify a subject (user/human) and to authorize the
subject to access an object (data/resource) based on the required task.
• These controls are used to protect resources from unauthorized access and are put
into place to ensure that subjects can only access objects using secure and pre-
approved methods.
Access Control Models
• A framework that dictates how subjects access objects.
• Different types of Access Control Models
1. Role based Access Controls
2. Discretionary Access Controls
3. Mandatory Access Controls
Access Control Principles: Access Control
Context
• In addition to access control, this context involves the following
entities and functions:
• Authentication: Verification that the credentials of a user or other system
entity are valid.
• Authorization: The granting of a right or permission to a system entity to
access a system resource. This function determines who is trusted for a given
purpose.
• Audit: An independent review and examination of system records and
activities in order to test for adequacy of system controls, to ensure
compliance with established policy and operational procedures, to detect
breaches in security, and to recommend any indicated changes in control,
policy and procedures.
Access Control Principles: Access Control
Policies
• An access control policy, which can be embodied in an authorization
database, dictates what types of access are permitted, under what
circumstances, and by whom.
• Access control policies are generally grouped into the following
categories:
• Discretionary access control (DAC):
• Controls access based on the identity of the requestor and on access rules
(authorizations) stating what requestors are (or are not) allowed to do.
• This policy is termed discretionary because an entity might have access rights that
permit the entity, by its own volition, to enable another entity to access some resource.
Access Control Principles: Access Control
Policies
• Mandatory access control (MAC):
• Controls access based on comparing security labels (which
indicate how sensitive or critical system resources are) with
security clearances (which indicate system entities are eligible
to access certain resources).
• This policy is termed mandatory because an entity that has
clearance to access a resource may not, just by its own volition,
enable another entity to access that resource.
Access Control Principles: Access Control
Policies
• Role-based access control (RBAC):
• Controls access based on the roles that users have within the system and on rules stating
what accesses are allowed to users in given roles.
• Attribute-based access control (ABAC):
• Controls access based on attributes of the user, the resource to be accessed, and current
environmental conditions
Role-based access control
• Role-based access control (RBAC) as a alternative to traditional discretionary and mandatory
access controls.
• RBAC, also known as a non-discretionary access control, is used when system administrators
need to assign rights based on organizational roles instead of individual user accounts within an
organization.
• It presents an opportunity for the organization to address the principle of ‘least privilege’.
• This gives an individual only the access needed to do their job, since access is connected to their
job.
• Users can be easily reassigned from one role to another.
• Roles can be granted new permissions as new applications and systems are incorporated, and
permissions can be revoked from roles as needed.
• The ability to modify policy to meet the changing needs of an organization is an important benefit
of RBAC.
Implementation

• Windows and Linux environments use something similar by creating ‘Groups’.

• Each group has individual file permissions and each user is assigned to groups based on
their work role.
• RBAC assigns access based on roles.
• This is different from groups since users can belong to multiple groups but should only be
assigned to one role.
• An accountant would only gain access to resources that an accountant would need on the
system.
• This requires the organization to constantly review the role definitions and have a process
to modify roles to segregate duties.
• Role creep is when an individual is transferred to another job/group and their access from
their previous job stays with them.
Traditional Access Control Models
• Mandatory access control(MAC)
Or call lattice-based access control (LBAC)
• One-directional information flow
• the notion of a role and the level of a login session is similar
• role hierarchies and constraints are critical
• Discretionary access control (DAC)
• the owner of an object has discretionary authority over who else can access
that object.
• Administrative roles are crucial and adequate
DAC Models
DAC is that the owner of an object, who is usually its creator, has
discretionary authority over who else can access that object.
• DAC can be simulated in RBAC
• The DAC policies:
• The creator of an object becomes its owner.
• There is only one owner of an object.
• Destruction of an object can only be done by its owner.
• Access Control is at the discretion of the owner.
• Discretionary Access Control can be implemented using Access Control
Lists (ACL)
Subjects and Objects
• Subjects
• can be processes, modules, roles
• Objects
• can be files, processes, etc.

• Authentication often used to bootstrap subjects, but not necessary.

• e.g. process assumes identity of one subject, then another.
 Access Control Matrix
• Instantaneous protection state of a system
• Dynamically Changing!
• How can we extend this model?
Objects

A B C D
alice 0 0 1 0
bob 1 1 0 1
subjects
charlie 0 0 1 0
dave 1 1 0 1
 Adding Access Rights
• Access Rights
– e.g. Simple: Read, Write
– e.g. Complex: execute, change ownership
Objects

A B C D
alice r r/w r -
bob r r - r/w
subjects
charlie - - w -
dave r/w - w
 Grouping

• Subjects
– Groups e.g. staff = {alice,dave}, students = {bob, charlie}
• Objects
– Types e.g. system_file = {A,B}, user_file = {C,D}
• Can have compound names
– e.g. in AFS talg:friends, system:backup
 ACL’s
• What if I break my matrix down by columns?
– Each object has a set of <user, right> tuples
– A {<bob, r/w>, <alice,w>}
• Properties
– Good for many applications (file systems)
– Can grow quite large
 Capabilities
• What if I break my matrix down by rows
– Alice {<A,r/w>, <B,w>, <C,r>}
• Properties
– Natural model for delegation (rights coupled to object)
• Each tuple can be viewed as a handle to an object
Access Control Matrix ( Example)
Access Control Matrix( Example)
Variations of DAC
• Strict DAC requires that the owner is the only one who has discretionary
authority to grant access to an object and that ownership cannot be transferred.
• Liberal DAC allows the owner to delegate discretionary authority for granting
access to an object to other users. Variations of liberal DAC
• One Level Grant: The owner can delegate grant authority to other users but they cannot
further delegate this power.
• Two Level Grant: In addition to a one-level grant the owner can allow some users to further
delegate grant authority to other users.
• Multilevel Grant:
• DAC with Change of Ownership: This variation allows a user to transfer
ownership of an object to another user.
Mandatory Access Control

• Considered the strictest of all levels of access control systems.

• The design and implementation of MAC is commonly used by the government.
• It uses a hierarchical approach to control access to files/resources.
• Under a MAC environment, access to resource objects is controlled by the
settings defined by a system administrator.
• This means access to resource objects is controlled by the operating system
based on what the system administrator configured in the settings.
• It is not possible for users to change access control of a resource.
Mandatory Access Control

• Mandatory access control is a method of limiting access to resources

based on the sensitivity of the information that the resource contains
and the authorization of the user to access information with that level
of sensitivity.
• The sensitivity of the resource is defined by means of a security label.
• The security label is composed of a security level and zero or more
security categories.
• The security level indicates a level or hierarchical classification of the
information (for example, Restricted, Confidential, or Internal).
Mandatory Access Control

• The security category defines the category or group to which the

information belongs (such as Project A or Project B).
• Users can access only the information in a resource to which their
security labels entitle them.
• If the user's security label does not have enough authority, the user
cannot access the information in the resource.
KERBEROS
• Users wish to access services on servers.
• Three threats exist:
• User pretend to be another user.
• User alter the network address of a workstation.
• User eavesdrop on exchanges and use a replay attack.

25
KERBEROS

A backbone
Kerberos is annetwork allows protocol,
authentication several and
LANs to same
at the be
connected.
time a KDC, In a that
backbone
has network, no station
become very is directly
popular. Several
connected
systems, to the backbone;
including the stations
Windows 2000, are part
use Kerberos. of a
Originally
LAN, andatthe
designed backbone
MIT, connects
it has gone the several
through LANs. versions.

15.26
 Kerberos servers

15.27
 15.2.1 Continued

Authentication Server (AS)

The authentication server (AS) is the KDC in the Kerberos
protocol.

Ticket-Granting Server (TGS)

The ticket-granting server (TGS) issues a ticket for the real
server (Bob).

Real Server
The real server (Bob) provides services for the user (Alice).

15.28
 Kerberos Operation

15.29
 Using Different Servers

Note that if Alice needs to receive services from different

servers, she need repeat only the last four steps.

15.30
 Kerberos Version 5

The minor differences between version 4 and version 5 are

briefly listed below:

1) Version 5 has a longer ticket lifetime.

2) Version 5 allows tickets to be renewed.
3) Version 5 can accept any symmetric-key algorithm.
4) Version 5 uses a different protocol for describing data
types.
5) Version 5 has more overhead than version 4.

15.31
 Realms

Kerberos allows the global distribution of ASs and TGSs,

with each system called a realm. A user may get a ticket for
a local server or a remote server.

15.32