# HG changeset patch # User Christian Urban # Date 1414370112 0 # Node ID 42bf66f0a903f971fef957ca493422a53cd8ae48 # Parent f96d3e48ed3dcf1c7fbf3c6a07e6b566c2dafac4 updated diff -r f96d3e48ed3d -r 42bf66f0a903 handouts/ho04.pdf Binary file handouts/ho04.pdf has changed diff -r f96d3e48ed3d -r 42bf66f0a903 handouts/ho04.tex --- a/handouts/ho04.tex Thu Oct 23 11:30:21 2014 +0100 +++ b/handouts/ho04.tex Mon Oct 27 00:35:12 2014 +0000 @@ -9,7 +9,7 @@ \section*{Handout 4 (Access Control)} Access control is essentially about deciding whether to grant -access to a resource or deny it. Sounds easy. No? Well it +access to a resource or deny it. Sounds easy, no? Well it turns out that things are not as simple as they seem at first glance. Let us first look, as a case-study, at how access control is organised in Unix-like systems (Windows systems @@ -175,11 +175,11 @@ \subsubsection*{Secrecy and Integrity} Often you need to keep information secret within a system or -organisation, or secret to the ``outside world''. An example -would be to keep information secret such that insiders cannot -leak information to competitors. A very good instance of such -an access control system is the secrecy levels used in the -military. There you distinguish four secrecy levels: +organisation, or secret from the ``outside world''. An example +would be to keep insiders from leaking information to +competitors. An instance of such an access control system is +the secrecy levels used in the military. There you distinguish +usually four secrecy levels: \begin{itemize} \item top secret @@ -193,48 +193,125 @@ special clearance. The unclassified category is the lowest level not needing any clearance. While the idea behind these security levels is quite straightforward, there are some -interesting implications for when you want to realise such a -system. To begin the access control needs to be -\emph{mandatory} as opposed to \emph{discretionary}. With -discretionary access control, the users can decide how to -restrict or grant access to resources. With mandatory access -control, the access to resources is enforced ``system-wide'' -and cannot be controlled by the user. There are also some -interesting rules for reading and writing an object that -need to be enforced: +interesting phenomenons that you need to think about when +realising such a system. First this kind of access control +needs to be \emph{mandatory} as opposed to +\emph{discretionary}. With discretionary access control, the +users can decide how to restrict or grant access to resources. +With mandatory access control, the access to resources is +enforced ``system-wide'' and cannot be controlled by the user. +There are also some interesting rules for reading and writing +a resource that need to be enforced: \begin{itemize} -\item {\bf Read Rule}: a principal $P$ can read an object $O$ -provided $P$'s security level is at least as high as $O$'s - -\item {\bf Write Rule}: a principal $P$ can write an object $O$ -provided $O$'s security level is at least as high as $P$'s +\item {\bf Read Rule}: a principal $P$ can read a resource $O$ + provided $P$'s security level is at least as high as + $O$'s +\item {\bf Write Rule}: a principal $P$ can write a resource + $O$ provided $O$'s security level is at least as high as + $P$'s \end{itemize} -\noindent The first rule says that a principal with secret +\noindent The first rule implies that a principal with secret clearance can read secret documents or lower, but not documents classified top-secret. The second rule for writing needs to be the other way around: someone with secret clearance can write secret or top-secret documents---no -information is leaked. In contrast it cannot write -confidential documents, because then information can be leaked -to lower levels. These rules about enforcing secrecy with -mult-level clearances is often called \emph{Bell/LaPudela} -model, named after two people who studied such systems. +information is leaked in these cases. In contrast the +principal cannot write confidential documents, because then +information can be leaked to lower levels. These rules about +enforcing secrecy with multi-level clearances are often called +\emph{Bell/LaPadula} model, named after two people who studied +such systems. -A problem with this access control system is when two people -want to talk to each other but having different security -clearances, say secret and confidential. In these situations, -the people with the higher clearance have to lower their -security level and are not allowed to take any document -from the higher level with them (otherwise again information -could be leaked). In actual systems this might mean that -people need to log out and log into the system again---this -time with credentials for the lower level. +A problem with this kind of access control system is when two +people want to talk to each other but are assigned different +security clearances, say secret and confidential. In these +situations, the people with the higher clearance have to lower +their security level and are not allowed to take any document +from the higher level with them to the lower level (otherwise +information could be leaked). In actual systems, this +might mean that people need to log out and log into the system +again---this time with credentials for the lower level. While secrecy is one property you often want to enforce, -integrity is another. This property ensures that no +integrity is another. This property ensures that nobody +without adequate clearance can change, or tamper with, +systems. An example for this property is a \emph{fire-wall}, +which isolates a local system from threads from the +Internet, for example. The rule for such a system is +that somebody from inside the fire-wall can write resources +outside the firewall, but you cannot write a resource inside +the fire-wall from outside. Otherwise an outside can just +tamper with a system in order to break in. In contrast +we can read resources from inside the fire-wall, for example +web-pages. But we cannot read anything from outside the +fire-wall. Lest we might introduce a virus into the system +(behind the fire-wall). In effect in order to ensure +integrity the read and write rules are reversed from the +case of secrecy: + +\begin{itemize} +\item {\bf Read Rule}: a principal $P$ can read a resource $O$ + provided $P$'s security level is lower or equal than + $O$'s +\item {\bf Write Rule}: a principal $P$ can write a resource + $O$ provided $O$'s security level is lower or equal than + $P$'s +\end{itemize} + +\noindent This kind of access control system is called +\emph{Biba} model, named after Kenneth Biba. Its purpose is to +prevent data modification by unauthorised principals. + +The paradoxical result of the different reading and writing +rules in the \emph{Bell/LaPadula} and \emph{Biba} models is +that we cannot have secrecy and integrity at the same time +in a system, or they need to be enforced by different means. + +\subsubsection*{Multi-Agent Access Control} + +In military or banking, for example, very critical decisions +need to be made using a \emph{two-man rule}. This means such +decisions need to be taken by two people together, so that +no single person can defraud a bank or start a nuclear war +(you will know what I mean if you have seen the classic movie +``Dr Strangelove or: How I Learned to Stop Worrying and Love +the +Bomb''\footnote{\url{http://en.wikipedia.org/wiki/Dr._Strangelove}}). + +Let us assume we want to implement a system where a CEOs can +fell decisions on their own, but two managing directors (MDs) +need to come together to fell the same decision. If ``lowly'' +directors (Ds) want to take the decision, three need to come +together. An obvious solution to such a problem is to split +the necessary key into $n$ parts according to the ``level'' +where the decision is taken. For example one key for a CEO, +two halves for the MDs and three thirds for the Ds. The +problem with this kind of sharing a key is that there might +be many hundreds MDs and Ds in your organisations. Simple-minded +halving or devision by three of the keey just does not work. + +A much more clever solution was Blakley and Shamir in 1979. +This solution is inspired by some simple geometric facts. +Given a three-dimentional axis system, we can specify a +point on the $z$-axis, say, by specifying its coordinates. +But we could equally specify this point by a line that +intersects the $z$-axis in this point. How can a line be +specified? Well, by giving two spaces in space. But as you +might remember from school days, we can specify the point +also by a plane and a plane can be specified by three points +in space. This could be pictured as follows: + +\begin{center} +\includegraphics[scale=0.45]{../pics/pointsplane.jpg} +\end{center} + +\noindent +Scaling this idea to more dimensions allows for even more +levels of access control. + \subsubsection*{Further Information}