The Riddle of the Sphinx

Transcription

Authorization
The Riddle of the Sphinx
Riddle of the Sphinx
The Sphinx is said to have guarded the entrance to the
Greek city of Thebes, and to have asked a riddle of
travellers to allow them passage, strangling and devouring
anyone unable to answer.
Which creature has one voice and yet
becomes four-footed and two-footed and
three-footed?
Brown University CS1951-E
CC BY-SA 2.5
Source: https://en.wikipedia.org/wiki/Sphinx#The_Riddle_of_the_Sphinx
Riddle of the Sphinx
The Sphinx is said to have guarded the entrance to the
Greek city of Thebes, and to have asked a riddle of
travellers to allow them passage, strangling and devouring
anyone unable to answer.
Man—who crawls on all fours as a baby,
walks on two feet as an adult, and uses a
walking stick in old age.
CC BY-SA 2.5
Source: https://en.wikipedia.org/wiki/Sphinx#The_Riddle_of_the_Sphinx
What is authorization?
● Acquiring authority by proving something
about yourself
○ Who are you?
○ What rights do you have?
○ What properties do you have?
CC BY-SA 2.5
Rights you might have
● I’m allowed…
○
○
○
○
In this room/building
To access this file
To drive a car
To enter this country
CC BY-SA 2.5
Properties you might have
●
●
●
●
●
Age (e.g. to be served alcohol)
Employment status (e.g. military, unemployment, etc)
Religion (e.g. Birthright Israel)
Health status (e.g. blood type, insurance, military job)
Country of origin (e.g. to prove work eligibility)
CC BY-SA 2.5
Now PROVE IT!
CC BY-SA 2.5
Source: http://mrconservative.com/files/2014/02/2014.02.05-mrconservative-52f1d981c8e43
jpg
Usual Three-step Authorization Process:
Identify, Authenticate, Authorize
● Identity is an unique identifier for a person
○ E.g. name, social security no., login
● Authentication is a process for proving a person’s identity.
○ E.g. ID card, birth certificate, password
● Authorization is a process for proving rights.
○ Can use authenticated identity, but not always needed!
CC BY-SA 2.5
Methods of Proof
●
●
●
●
Something you have
Something you are
Something you know
Something you can do
CC BY-SA 2.5
Something you have
● Physical object that grants access
● Examples
○ Key
○ ID Card
○ Token generator for two-factor authorization
(Google Authenticator, Authy, RSA SecurID)
○ King’s Seal (in wax)
CC BY-SA 2.5
Something you have (cont.)
● Strengths
○ Easily transferable
● Weaknesses
○ Easily transferable
○ Can be lost or stolen
○ Can be forged
■ e.g. a key can be made from photos
CC BY-SA 2.5
Something you are
● Biometric information
● Examples
○
○
○
○
○
Fingerprints
Facial Recognition
Retinal Scan
DNA Test
Smell (for animals)
CC BY-SA 2.5
Something you are (cont.)
Jacob, Esau,
and the first
biometric
authentication
system
CC BY-SA 2.5
Something you are (cont.)
● Strengths
○ Non-transferable
○ Usually identifies individual
● Weaknesses
○ Forgeable
■ Computer Chaos Club forged fingerprints from
photographs alone
○ Can be lost (ie, loss or degradation)
○ Can’t be changed
CC BY-SA 2.5
Jan Krissler says he replicated the fingerprint of defence minister Ursula von der Leyen using
pictures taken with a "standard photo camera".
CC BY-SA 2.5
Something you know
● Information held by limited number of parties
● Examples
○
○
○
○
○
○
Password
API token
Encryption key
Combination to lock
Secret handshake
Details of the crime
CC BY-SA 2.5
Something you know (cont.)
● Strengths
○ Easy to transport
○ Can be changed
○ Easily transferrable/easy to duplicate
● Weaknesses
○ Verifier learns the secret
○ Can be forgotten
○ Easy to duplicate
CC BY-SA 2.5
Something you can do
● Ability to perform unique task
● Examples
○
○
○
○
Signature
Voice recognition
CAPTCHA
Whale songs
CC BY-SA 2.5
Something you can do (cont.)
“Recorded in the Book of Judges, chapter 12, after the inhabitants of
Gilead inflicted a military defeat upon the tribe of Ephraim, the surviving
Ephraimites tried to cross the Jordan River back into their home
territory and the Gileadites secured the river's fords to stop them. In
order to identify and kill these refugees, the Gileadites required each
refugee to say the word shibboleth. The Ephramite dialect did not
contain the "sh" sound and so those who pronounced the word as
sibboleth were identified as Ephramites and killed.”
Source: https://en.wikipedia.org/wiki/Shibboleth
CC BY-SA 2.5
Something you can do (cont.)
● Strengths
○ Difficult (but not impossible) to forge
■ e.g. handwriting
● Weaknesses
○ Ability can be lost, say due an accident
CC BY-SA 2.5
Multifactor Authentication
● Use multiple factors for authentication or authorization
○ e.g. password + token generator
(something you know +
something you have)
● Unlimited factors can be combined
○ e.g. Bloomberg B-Unit requires
■ fingerprint
■ token generator
■ password
Source: https://storage.googleapis.com/support-kms-prod/SNP_2909001_en_v0
CC BY-SA 2.5
● Strengths
○ Must compromise both factors
to break security
● Weaknesses
○ Can be more burdensome to
use
CC BY-SA 2.5
For usability, tradeoff is important.
Google two-factor authentication only
uses the second factor (phone) to
authenticate the browser, which is
then trusted for 30 days. During that
time, you only need a password.
CC BY-SA 2.5
Identification, Authentication, Authorization
Revisited
● Often these schemes can be broken down into
○ Identification (who are you?)
○ Authentication (prove it)
○ Authorization (what are you allowed to do?)
● Examples:
○ User login (username/password/file access)
○ Some transportation (ticket with name/ID card/train ride)
CC BY-SA 2.5
Revisited
● However, this model often doesn’t apply
○ Identification/authentication can be done in one step
○ Authorization can occur without authentication
CC BY-SA 2.5
Revisited
● Identification/authentication in one step
● Examples:
○ When you see/hear somebody you know
○ Most uses of SSNs
■ Bad because it’s both a public identifier (that
everyone needs to know) and an authenticator (that
only you should know)
CC BY-SA 2.5
Revisited
● Authorization without authentication
● Examples:
○ Door keys
○ Postage stamps
○ Movie tickets
CC BY-SA 2.5
Revisited
● Subtleties
○ Identification doesn’t have to be of an individual
■ Can be a group (e.g., Gileadites)
■ Authorization is then a property common to members
● Ability to pronounce “shibboleth”
● Knowledge of the 1940 World Series Champions
CC BY-SA 2.5
Revisited
● Subtleties
○ Identifiers aren’t always unique
■ John Savage (IMDB)
■ Johnnie Thomas and John Thomas
Christopher
■ Singapore’s exoneration documents
CC BY-SA 2.5
source: http://www.imdb.com/name/nm0001698/
Revisited
● Subtleties
○ Identification doesn’t have to be a name
■ username or user ID
■ ATM card number
CC BY-SA 2.5
Summary
● Often broken into three steps
○ Identification, Authentication, and Authorization
● But this isn’t necessary
● Four ways to prove authentication or
authorization
○ Something you have/are/know/can do
CC BY-SA 2.5
Coming up next...
● Two lectures on cryptography
(Anna Lysyanskaya)
● One lecture on password security
CC BY-SA 2.5

The Riddle of the Sphinx

Transcription

Similar documents

Amanna Rothaíochta go DCU St. Patrick`s /Cycle times to DCU St

Accountant Authorization

ABnote DuoChrome is an exclusive, state-of-the

Designing Secure Event-Driven Architectures - Mil-OSS

What I like to do - Autism Housing Pathways

Help Document Open the URL – www.irctc.co.in Enter your login

Direct Deposit Authorization

Eng Version

CWA Membership Card

Florida: Attacking Fraud Head on