CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October

CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1

Authentication, access control, and policy configuration

Lorrie Faith CranorOctober 2009


Outline

Definitions Authentication Access control Policy management Policy authoring


Definitions Identification - a claim about identity

– Who or what I am (global or local) Authentication - confirming that claims are true

– I am who I say I am– I have a valid credential

Authorization - granting permission based on a valid claim– Now that I have been validated, I am allowed to access certain resources

or take certain actions Access control system - a system that authenticates users and gives

them access to resources based on their authorizations– Includes or relies upon an authentication mechanism– May include the ability to grant course or fine-grained authorizations,

revoke or delegate authorizations– Also includes an interface for policy configuration and management


Building blocks of authentication Factors

– Something you know (or recognize)– Something you have– Something you are

Two factors are better than one– Especially two factors from different categories

What are some examples of each of these factors?

What are some examples of two-factor authentication?


Authentication mechanisms

Text-based passwords Graphical passwords Hardware tokens Public key crypto protocols Biometrics


Evaluation

Accessibility Memorability Security Cost Environmental considerations


Typical password advice


Typical password advice Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down

So what do you do when every web site you visit asks for a password?


Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1



Problems with Passwords Selection

– Difficult to think of a good password– Passwords people think of first are easy to guess

Memorability– Easy to forget passwords that aren’t frequently used– Difficult to remember “secure” passwords with a mix of upper & lower

case letters, numbers, and special characters Reuse

– Too many passwords to remember– A previously used password is memorable

Sharing– Often unintentional through reuse– Systems aren’t designed to support the way people work together and

share information


Mnemonic PasswordsFour

First letter of each word (with punctuation)

fsasya,oFSubstitute numbers for words or similar-looking letters

4sa7ya,oFSubstitute symbols for words or similar-looking letters

F

4sasya,oF

Four

4sa7ya,oF

4s&7ya,oF

score s andaand seven sseven yearsy ago a ,, our o Fathers F

Source: Cynthia Kuo, SOUPS 2006


The Promise?

Phrases help users incorporate different character classes in passwords– Easier to think of character-for-word substitutions

Virtually infinite number of phrases Dictionaries do not contain mnemonics



The Problem?

“Goodness” of mnemonic passwords unknown– Yan et al. compared regular, mnemonic, and

randomly generated passwords• Used standard (non-mnemonic) dictionary• Effectively evaluated whether mnemonic passwords

contained dictionary words



Mnemonic password evaluation Mnemonic passwords are not a panacea for

password creation No comprehensive dictionary today May become more vulnerable in future

– Many people start to use them– Attackers incentivized to build dictionaries

Publicly available phrases should be avoided!

C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.



Password keeper software

Run on PC or handheld Only remember one password


Single sign-on

Login once to get access to all your passwords


Biometrics


Graphical passwords


“Forgotten password” mechanism Email password or magic URL to address on file Challenge questions Why not make this the normal way to access infrequently

used sites?


Convenient SecureID 1

What problems does this approach solve?

What problems does it create?

Source:

http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx


Convenient SecureID 2

What problems does this approach solve?

What problems does is create?

22

Previously available at:

http://fob.webhop.net/


Browser-based mutual authentication Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/public-usable-a

uthentication/2007Mar/0004.html– User gets ID, password (or alternative), image,

hotspot at enrollment– Before user is allowed to login they are asked to

confirm URL and SSL cert and click buttons– Then login box appears and user enters username

and password (or alternative)– Server displays set of images, including user’s image

(or if user entered incorrect password, random set of images appear)

– User finds their image and clicks on hotspot• Image manipulation can help prevent replay attacks

What problems does this solve? What problems doesn’t it solve? What kind of testing is needed


Types of access control Discretionary access control

– Distributed, dynamic, users set access rules for resources they own and can delegate access to others

Role-based access control– Centralized admin assigns users to roles and sets

access rules based on roles And many others that vary

– discretionary/mandatory– centralized/distributed– granularity– grouping


Policy management problems Admins, large organizations understanding large

access control policies– Someone in marketing changed a policy and now we can’t

figure out why people in sales no longer have access to a document

– Who has access to this document anyway? End users creating and understanding policies

– Examples: File system permissions, Grey, Perspective, privacy rules

– Home users want to share some files with some other users, but don’t want to share everything


Roles for policy professionals

Policy makers Policy implementers

L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in

access-control management. CHI 2009.

http://www.ece.cmu.edu/~lbauer/papers/2009/chi09-management.pdf


Policy conflicts Given

– Alice is in GroupA and GroupB– FileQ is in FolderX

What types of conflicts might occur?

Direct conflict– Alice allowed access to FileQ– Alice denied access to FileQ

Group/group conflict– GroupA allowed access to FileQ– GroupB denied access to FileQ

User/group conflict– Alice allowed access to FileQ– GroupA denied access to FileQ

File/directory conflict– Alice allowed access to FileQ– Alice denied access to FolderX

2-way conflict – Alice allowed access to FileQ– GroupA denied access to FolderX


How can conflicts be resolved?

Default rule – deny/allow takes precedence Ordered rules – policy author sets order Ordered rules – most recent first/last Specificity – most/least specific takes precedence Weighted rules – policy author assigns weights Exceptions – policy authors defines exceptions

(essentially a partial ordering) Combination


Policy Authoring

Slides courtesy of Rob Reeder

R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis, Computer science department, Carnegie Mellon University, Pittsburgh, PA, July 2008. Available as tech report number CMU-CS-08-143.


Memogate


Proliferation of policiesFile systems

Location disclosure applications

Online social networks

Websites


Policy authoring

Policy – a set of rules that determine the conditions under which access is allowed to a resource

Policies are created, edited, and viewed – authored

Someone determines policy – the author Policies should fulfill the author’s intentions Policy authoring is done with a user interface


List of rules interfaces support policy authoring operations poorly Viewing policy

– Often only one rule at a time is visible– Difficult to understand policy by reading

long list of rules Changing policy

– Difficult to understand effect of changes because you can’t see all relevant parts of a policy together

Viewing group memberships– Usually requires using a separate

interface Detecting and resolving conflicts

– When rules interact, it isn’t clear what the outcome will be


Solution: Expandable Grid

Key insight:Center policy-authoring user interfaces around a display of the whole effective policy, not a list of rules


Expandable Grid details

35

Jana


Direct manipulation interface

To change a policy, just click on a cell and toggle the color

In order to make this work, we had to change the conflict resolution semantics– Widows semantics: Deny takes precedence, but

specificity precedence in resource dimension– Expandable Grid semantics: Recency precedence


User study of Expandable Grid for file permissions Laboratory study 2 conditions:

– Expandable Grid– Native Windows file permissions interface

36 participants, 18 per condition, novice policy authors Training:

– 3.5 minutes for Grid– 5.5 minutes for Windows

18 tasks based on a teaching assistant scenario


Example task: Jana Set permissions so that Jana can read and write the

Four-part Harmony.doc file in the Theory 101\Handouts folder.

Task setup:– Jana is a TA “this” year (did the study in 2007)

• Is in the group Theory 101 TAs 2007– Jana was a TA last year

• Is in the group Theory 101 TAs 2006– 2007 TAs are allowed READ & WRITE– 2006 TAs are denied READ & WRITE– Since Jana is in both groups, she is denied access


Jana task – common error


Learning Jana’s effective permissions

2

4

Click “Advanced” Click “Effective Permissions”

Select Jana

View Jana’s Effective Permissions

1


Learning Jana’s group membership5

6

8

9

Bring up Computer Management interface

Click on “Users”

Double-click Jana

Read Jana’s group membership

TAs 2006TAs 2007

7

Click “Member Of”


Learning Jana’s groups’ permissions

10 11

12

13

Click on TAs 2006

Read permissions for TAs 2006

Click on TAs 2007

Read permissions for TAs 2007


Changing Jana’s groups’ permissions

14 15

Click on TAs 2006

Change permissions for TAs 2006


Checking work

17

19

16

Click “Advanced”

Click “Effective Permissions”

Select Jana

View Jana’s Effective Permissions


XP support for fundamental operations

Viewing policy– Effective policy is 3 screens away (most authors

don’t find them) Changing policy

– Authors operate on rules, not effective policy Viewing group memberships

– In a separate application from file permissions Detecting and resolving conflicts

– Has to be done manually


Viewing effective policy

1


Viewing group membership

2


Changing policy

3


Resolving rule conflicts


Grid support for fundamental operations

Viewing policy– Effective policy directly shown on screen

Changing policy– Changes take one click

Viewing group memberships– Group memberships are shown in the trees

Detecting and resolving conflicts– Happens automatically


Results

Small-size Large-size

Task type Accuracy Time Accuracy Time

View simple

View complex

Change simple

Change complex

Compare groups

Conflict simple

Conflict complex

Memogate simulation

Precedence rule test

111s126s

89%56%

94%17%

89%94%

61%0%

89%83%

67%61%

89%0%

100%94%

89%94%

61%56%

10039%

100100

67%17%

67%83%

72%61%

1006%

94%78%

78%78%

29s64s

35s55s

30s52s

70sInsufficient data

39s103s

55s103s

29s

20s66s

Insufficient data

42s118s

42s61s

39s67s

50s42s

73s104s

52sInsufficient data

105s116s

71s115s

100s

0 50 100 150

1

143s

GridWindows

Jana task


Conflict-resolution method Were the effects we observed due to the Expandable

Grid visualization, the recency precedence conflict-resolution method, or both?

We ran another study to find out– Implemented deny-takes-precedence in the Expandable

Grid interface– Ran 18 new participants with the new Grid interface

Results– On the Jana task, recency precedence made a big

difference– On the other tasks, the Grid was generally superior to

Windows no matter the conflict resolution scheme Both the Grid’s presentation aspects AND recency

precedence make a difference


Desired properties for conflict resolution method Direct manipulation Exception-rule preservation Order independence Fail safety


Problems with Windows and recency semantics

Windows: – No satisfactory way to solve Jana-like rule conflicts

Recency:– Too liberal in overriding existing rules– Does not work well in the presence of dynamic

changes, like adding a user to a group, moving a file


Our specificity semantics Conflict resolution procedure

– Resolve rule conflicts by choosing the more specific rule when possible (specificity precedence)

– Otherwise, use deny-precedence Benefits

– If group rules are in conflict, can make a user-level exception

– Exceptions stay in place even when group rules change

– User-level or file-level exceptions stay in place even in the presence of dynamic changes


Enhanced Grid


Enhanced Grid


Semantics study #2 Laboratory study 3 conditions:

– Expandable Grid with specificity semantics– Expandable Grid with Windows semantics– Native Windows file permissions interface

54 participants, 18 per condition, novice policy authors 10 minutes training for all conditions Used large-scale Teaching Assistant scenario from prior

study 12 total tasks with counterbalanced task order


Results and discussion Conflict resolution semantics can have a big

effect on usability, but no perfect semantics Specificity helps resolve rule conflicts and makes

group rule exceptions easy Specificity semantics is not always better than

Windows semantics The grid/specificity combination overcomes

semantics disadvantages Whatever the semantics, show effective policy!

Documents

CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October