File Protection Mechanisms

1
File Protection Mechanisms

• All-None Protection
• Lack of trust
• All or nothing
• Timesharing issues
• Complexity
• File listings

2
File Protection Mechanisms

• Group Protection
• User cannot belong to two groups
• Forces one person to be multiple users
• Forces user to be put into all groups
• Files can only be shared within groups

3
File Protection Mechanisms

• Single Permissions
• Password/Token for each file
• Can be lost
• Inconvenient
• Must be protected (if changed, must notify all
  users)
• Temporary Acquired Permission
• UNIXs set userid (suid)

4
User Authentication

• Something the user knows (password, PIN,
  passphrase, mothers maiden name)
• Something the user has (ID, key, drivers
  license, uniform)
• Something the user is (biometrics)

5
Use of Passwords

• Mutually agreed-upon code words, assumed known
  only to user and system
• First line of defense
• Loose-Lipped Systems
• WELCOME TO XYZ COMPUTING
• ENTER USER ID summers
• INVALID USER NAME
• ENTER USER ID

6
Attack on Passwords

• Ask the user
• Search for the system list of passwords
• Find a valid user ID
• Create a list of possible passwords (encrypt if
  needed)
• Rank the passwords from high to low probability
• Try each password
• If attempt fails, try again (don't exceed
  password lockout)

7
Attack on Passwords

• Exhaustive Attack (brute-force)
• 18,278 passwords of 3 letters or less
• 1 password / millisecond would take 18 seconds (8
  minutes for 4 letters, 3.5 hours for 5 letters)
• Probable passwords (dictionary attack)
• 80,000 word dictionary would take 80 seconds
• Expanded dictionary

8
Attack on Passwords

• UK Study (http//www.cnn.com/2002/TECH/ptech/03/13
  /dangerous.passwords/?related)
• 50 passwords were family names
• Celebrities/soccer stars 9 each
• Pets 8
• 10 reflect a fantasy
• Only 10 use cryptic combinations

9
Attack on Passwords

• Look on desk
• Try no password
• Try user ID
• Try users name
• Common words (password, private, secret)
• Short dictionary
• Complete English word list
• Common non-English dictionaries
• Dictionary with capitalization and substitutions
  (0 for o and 1 for i)
• Brute force (lowercase alphabet)
• Brute force (full character set)

10
Attack on Passwords

• Plaintext System Password List (MS Windows)
• Encrypted Password List 1-way (/etc/passwd)
• Shadow Password List (/etc/shadow)
• Salt 12-bit number formed from system time and
  process id concatenated to password

11
Password Selection Criteria

• Use characters other than A-Z
• Choose long passwords
• Avoid names and words
• Choose unlikely password
• Change password regularly (dont reuse)
• Dont write it down
• Dont tell anyone
• http//www.mit.edu/afs/sipb/project/doc/passwords/
  passwords.html
• One-time passwords

12
Authentication

• Should be slow (5-10 seconds)
• Should only allow a limited of failures (e.g.
  3)
• Challenge-Response Systems
• Impersonation of Login
• Authentication Other than Passwords