Protection and Security
Protection and security
The purpose of a protection system is to prevent
accidental or intentional misuse of a system.
- Accidents: Problems of this kind are easy to anticipate (It’s
possible to take action to minimize the likelihood of an accident).
- Malicious abuse: Problems of this kind are very hard to completely
eliminate (In order to protect completely against malicious abuse, one mustanticipate and eliminate every loophole and resist any temptation to play on
probabilities).
There are three aspects to a protection mechanism:
-
User identification (authentication): make
sure we know who is doing what.
-
Authorization determination: must figure out
what the user is and is not allowed to do. Need a simple database for this.
-
Access enforcement: must make sure there are
no loopholes in the system.
Even the slightest flaw in any of these areas may
ruin the whole protection mechanism.
Authentication
User identification is most often done with
passwords. This is a relatively weak form of protection.
- A password is a secret piece of information used to establish
the identity of a user.
- Passwords should not be stored in a readable form. One-way
transformations should be used. A 1-way function is an interesting function thatis relatively easy to compute, but difficult to invert (essentially the only way
to invert it is to compute all the forward transforms looking for one thatmatches the reverse).
- Passwords should be relatively long and obscure.
- Systems like UNIX(R) don't store the password, but the result of
a 1-way function on the password. To check a user's password, the system takesthe password as input, computes the 1-way function on it, and compares it with
the result in the password file. If they match, the password was (with highprobability) correct. Note that even knowing the algorithm and the encrypted
password, it's still impossible to easily invert the function.
Although it's theoretically reasonable to leave a
hashed password file in the open, it is rarely done anymore. There are a couplereasons:
- In practice, bad passwords are not uncommon enough, so rather
than having to try all the passwords (or half the passwords on average), tryinga large dictionary of common passwords is often enough to break into an account
on the system.
- Password file can be attacked off-line, with the system under
attack completely unaware that it is under attack. By forcing the attacker toactually try passwords on the system that they're invading, the system can
detect an attack.
Another form of identification: badge or key.
- Does not have to be kept secret.
- Should not be able to be forged or copied.
- Can be stolen, but the owner should know if it is.
Key paradox: key must be cheap to make, hard to
duplicate. This means there must be some trick (i.e. secret) that has to beprotected.
Once identification is complete, the system must be
sure to protect the identity since other parts of the system will rely on it.
Authorization determination
Must indicate who is allowed to do what with what.
Draw the general form as an access matrix with one row per user, one column perfile. Each entry indicates the privileges of that user on that object. There are
two general ways of storing this information: access lists and capabilities.
