Authentication, Access Control, and Audit

Home , Access control

Authentication, Access Control, and Audit RAVI SANDHU George Mason University ͗[email protected]͘ PIERANGELA SAMARATI Universita` degli Studi di Milano, Milano, Italy ͗[email protected]͘

Authentication, access control, and au- —something the user is, exhibited in dit together provide the foundation for a biometric signature such as a fin- information and system security. gerprint or voiceprint. —Authentication establishes the Password-based authentication is the identity of one party to another. most common technique but it has sig- Most commonly authentication es- nificant problems. Passwords can be tablishes the identity of a user to surreptitiously observed or guessed. some part of the system, typically Password management is required to by means of a password. More gen- prod users to change their passwords erally, authentication can be com- regularly, to select good ones, and to puter-to-computer or process-to- protect them with care. Excessive pass- process and mutual in both word management makes adversaries of directions. users and security administrators, —Access control determines what one which can be counterproductive. An in- party will allow another to do with trinsic flaw of passwords is that users respect to resources and objects me- can share them with other users, which diated by the former. Access control breaks down accountability. However, usually requires authentication as passwords can be effective and are a prerequisite. cheap, so they are likely to remain in —The audit process gathers data use. about activity in the system and The second technique authenticates analyzes it to discover security vio- the token rather than the user. Each lations or diagnose their cause. token has a unique secret cryptographic Analysis can occur offline after the key stored within it, used to establish fact or online in real time. In the the token’s identity via a challenge-re- latter case, the process is usually sponse handshake. The party establish- called intrusion detection. ing the authentication issues a challenge to which a response is computed using the secret key. Sometimes the AUTHENTICATION challenge is implicitly taken to be the User-to-computer authentication can be current time. The secret key should based on one or more of the following: never leave the token. Attempts to break the token open to recover the key —something the user knows, such as should cause the key to be destroyed. a password, User-to-token authentication can be —something the user possesses, such based on passwords in the form of a PIN as a credit-card-sized cryptographic (personal identification number). token or smart card, or Biometric authentication has been

ACM Computing Surveys, Vol. 28, No. 1, March 1996 242 • R. Sandhu and P. Samarati used for some time for high-end applica- for integrity and separation objec- tions. The biometric signature should be tives. different every time (for example, a —Role-based access control (RBAC) voice-print check of a different chal- requires that access rights be as- lenge phrase on each occasion), or re- signed to roles rather than to indi- quire an active input (for example, the vidual users (as in DAC) [Sandhu et dynamics of handwritten signatures). al. 1996]. Users obtain these rights Technically, the best combination by virtue of being assigned mem- would be user-to-token biometric au- bership in appropriate roles. This thentication, followed by mutual crypto- simple idea greatly eases the ad- graphic authentication between the ministration of authorizations. token and system services. This combination may emerge sooner than we Other forms of access control also ex- imagine, although there are social is- ist, and this remains a fertile area for sues in addition to technical ones. further research and development. Token-based authentication is a tech- Existing systems often take a feature- based approach to access control in nical reality today, but it still lacks which multiple interacting access-con- major market penetration. Many exist- trol facilities are configured by security ing systems use the desktop worksta- administrators to meet their policy ob- tion as a “token” for authentication with jectives. Unfortunately, these access- the rest of the network. A cryptographic control features are often poorly docu- key is computed from the user’s pass- mented and their interactions poorly word by the workstation, on the basis of understood. which the workstation authenticates to the network. Kaufman et al. [1995] de- scribe some of the techniques in current AUDIT use. Audit has two components: the collection and organization of audit data [Ja- ACCESS CONTROL jodia et al. 1995], and an analysis of the data to discover or diagnose security Access controls usually apply after au- violations [Lunt 1993; Mukherjee et al. thentication has been established. Ac- 1994]. cess control can take several forms Audit data needs protection from [Sandhu and Samarati 1994]. modification by an intruder. Vast amounts of audit data can be recorded. —Discretionary access control (DAC) Audit data tends to be captured at a low is based on the idea that the owner level of abstraction. Analysis of audit of data should determine who has data is often performed only when viola- access to it. DAC allows data to be tions are suspected. Even so, only audit freely copied from object to object, data connected with the suspected vio- so even if access to the original data lation are examined. is denied, access to a copy can be Intrusion detection systems seek to obtained. help carry out audit controls. Passive —Lattice-based access controls [Sandhu intrusion detection systems analyze the 1993], also known as mandatory ac- audit data, usually offline, and bring cess controls (MAC), confine the possible intrusions or violations to the transfer of information to one direc- attention of the auditor. Active systems tion in a lattice of security labels analyze audit data in real time and may (for example, low to high but not take immediate protective response, high to low). MAC emerged from such as killing the suspected process confidentiality requirements of the and disabling the account. military but has broad applications The problem is what to look for in

ACM Computing Surveys, Vol. 28, No. 1, March 1996 Authentication, Access Control, and Audit • 243 audit data and how to determine auto- databases. In Information Security: An Inte- matically whether a violation has oc- grated Collection of Essays. Abrams, Jajodia, curred or is being perpetrated. The fol- and Podell, Eds. IEEE Computer Society Press, lowing approaches have been tried: Los Alamitos, CA, 585–595. anomaly detection, which is based on KAUFMAN, C., PERLMAN, R., AND SPECINER,M. 1995. Network Security. Prentice-Hall, the assumption that the exploitation of Englewood Cliffs, NJ. the vulnerabilities of the system in- LUNT, T. F. 1993. A survey of intrusion detec- volves abnormal use of the system, and tion techniques. Comput. Security 12, 405– misuse detection, which is based on 418. rules specifying events, sequences of MUKHERJEE, B., HEBERLEIN,L.T.,AND LEVITT,K. events, or observable properties of the N. 1994. Network intrusion detection. system, symptomatic of violations. IEEE Network (May/June), 26–41. Finally, we note that audit analysis is SANDHU, R. S. 1993. Lattice-based access con- an empirical discipline in which we cur- trol models. IEEE Computer 26, 11, 9–19. rently have little historical data. SANDHU,R.S.AND SAMARATI, P. 1994. Access control: Principles and practice. IEEE Com- munications 32,9,40–48. REFERENCES SANDHU,R.S.,COYNE,E.J.,FEINSTEIN,H.L.,AND JAJODIA, S., GADIA, S., AND BHARGAVA, G. 1995. YOUMAN, C. E. 1996. Role-Based Access Logical design of audit information in relational Control Models. IEEE Computer 29,2.

ACM Computing Surveys, Vol. 28, No. 1, March 1996