Data Security--University Translation

 

DATA SECURITY

Pierangela Samarati, SRI International

Sushil Jajodia, George Mason University

 

J. Webster (ed.), Wiley Encyclopedia of Electrical and Electronics Engineering Online
Copyright © 1999 by John Wiley & Sons, Inc. All rights reserved.
Article Online Posting Date: December 27, 1999

---

CONTENTS

1. TOP OF ARTICLE
2. IDENTIFICATION AND AUTHENTICATION
3. ACCESS CONTROL
4. AUDITING
5. DATA ENCRYPTION
6. CONCLUSIONS
7. ACKNOWLEDGMENTS

1. Top of Article

The term data security refers to the protection of information against possible violations that can compromise its secrecy (or confidentiality), integrity, or availability. Secrecy is compromised if information is disclosed to users not authorized to access it. Integrity is compromised if information is improperly modified, deleted, or tampered with. Availability is compromised if users are prevented from accessing data for which they have the necessary permissions. This last problem is also known as denial-of-service.

The increasing development of information technology in the past few years has led to the widespread use of computer systems that store and manipulate information and greatly increased the availability and the processing and storage power of information systems. The problem of protecting information exists because this information has to be managed. However, as technology advances and information management systems become even more powerful, the problem of enforcing information security becomes more critical. There are serious new security threats, and the potential damage caused by violations rises. Organizations more than ever today depend on the information they manage. A violation to the security of the information may jeopardize the whole working system and cause serious damage. Hospitals, banks, public administrations, private organizations, all depend on the accuracy, availability, and confidentiality of the information they manage. Just imagine what could happen, for instance, if a patient's data were improperly modified, were not available to the doctors because of a violation blocking access to the resources, or were disclosed to the public domain.

The threats to security to which information is exposed are many. Threats can be nonfraudulent or fraudulent. The first category comprises of all the threats resulting in nonintentional violations, such as natural disasters, errors or bugs in hardware or software, and human errors. The second category comprises all of such threats that can be attributed to authorized users (insiders) who misuse their privileges and authority, or external users (intruders) who improperly get access to a system and its resources. Ensuring protection against these threats requires the application of different protection measures. This article focuses mainly on the protection of information against possible violations by users, insiders, or intruders. The following services are crucial to the protection of data within this context (12):

1.	Identification and Authentication. It provides the system with the ability of identifying its users and confirming their identity.
2.	Access Control. It evaluates access requests to the resources by the authenticated users, and based on some access rules, it determines whether they must be granted or denied.
3.	Audit. It provides a post facto evaluation of the requests and the accesses occurred to determine whether violations have occurred or have been attempted.
4.	Encryption. It ensures that any data stored in the system or sent over the network can be deciphered only by the intended recipient. In network communication, encryption can also be used to ensure the authenticity of the information transmitted and of the parties involved in the communication.

Figure 1 illustrates the position of these services within the system working. Their treatment is the focus of this chapter.

2. IDENTIFICATION AND AUTHENTICATION

 

Authentication is the process of certifying the identity of one party to another. In the most basic form, authentication certifies the identity of a human user to the computer system. Authentication is a prerequisite for a correct access control, since the correctness of the access control relies on the correctness of the identity of the subject requesting access. Good authentication is also important for accountability, whereby users can be retained accountable for the actions accomplished when connected to the system. In the authentication process we can generally distinguish an identification phase, where users declare their identity to the computer and submit a proof for it, and an actual authentication phase, where the declared identity and the submitted proof are evaluated. Authentication of a user to a computer can be based on

·   something the user knows, such as a password

·   something the user possesses, such as a magnetic card

·   something the user is or does, such as his/her physical characteristics

or a combination of the above.

 

Authentication Based on Knowledge

The most common technique based on user's knowledge uses secret keywords, named passwords. A password, known only to the user and the system, proves the identity of the user to the system. Users wishing to log into the computer enter their identity (login) and submit a secret keyword (password) as a proof of their identity. Passwords are the most commonly used authentication technique for controlling accesses to computers. The wide use of this technique is due to the fact that is very simple, cheap, and easily enforceable. A drawback is that this technique is quite vulnerable. Passwords can often be easily guessed, snooped by people observing the legitimate user keying it in, sniffed during transmission, or spoofed by attackers impersonating login interfaces. By getting a user's password an attacker can then impersonate this user and enter the system. An important aspect necessary to limit the vulnerability of passwords is a good password management. Often passwords are vulnerable because users do not put enough care in their management: They do not change their passwords for a long time; share their passwords with friends or colleagues; choose weak passwords that can be easily guessed, such as common words, the name or birthdate of a relative, or the name of their pet, simply because they are easy to remember; use the same password on different machines; or write passwords down over pieces of papers to make sure they do not forget them. A good password management requires users to change their password regularly, choose passwords that are not easy to guess, and keep the password private. Unfortunately, these practices are not always followed.

Having to remember passwords can become a burden for a user, especially when multiple passwords, necessary to access different accounts, need to be remembered. To make this task easier, users often end up falling in some of the bad habits listed above, thus making the attackers task easier as well. To avoid this problem, many systems enforce automatic controls regulating the specification and use of passwords. For instance, it is possible to enforce restrictions on the minimum number of digits a password must have, possibly requiring the use of both alphanumeric and nonalphanumeric characters. Also often systems check passwords against language dictionaries and reject passwords corresponding to words of the language (which would be easily retrieved by attackers enforcing dictionary attacks). It is also possible to associate a maximum lifetime to passwords, and require users to change their password when it expires. Passwords that remain unchanged for a long time are more vulnerable and, if guessed and never changed, would allow attackers to freely access the system impersonating the legitimate users. A history log can also be kept to make sure users do not just pretend to change password while reusing instead the same one. Sometimes a minimum lifetime can also be associated with passwords. The reason for this is to avoid users to actually reuse the same password over and over again despite the presence of lifetime and history controls. Without a minimum lifetime a user required to change password but unwilling to do so could simply change it and then change it back right away to the old value. A minimum lifetime restriction would forbid this kind of operation.

Authentication Based on Possession

In this category, also called token-based, there are all the techniques that require users to present a token as a proof of their identity. A token is a creditcard-sized device storing some information establishing and proving the token's identity. The simplest form of token is a memory card containing magnetically recorded information, which can be read by an appropriate card reader. Essentially this technique authenticates the validity of the token, not of the user: Possession of the token establishes identity for the user. The main weakness of such an approach is that tokens can be forged, lost, or stolen. To limit the risk of security breaches due to such occurrences, often memory cards are used together with a personal identification number (PIN), generally composed of four numeric digits, that works like a password. To enter the system, a user needs both to present the token and to enter the PIN. Like passwords, PINs can be guessed or spoofed, thus possibly compromising authentication, since an attacker possessing the token and knowing the PIN will be able to impersonate the legitimate user and enter the system. To limit the vulnerability from attackers possessing a token and trying to guess the corresponding PIN to enter the system, often the authentication server terminates the authentication process, and possibly seizes the card, upon submission of few bad tries for a PIN. Like passwords, tokens can be shared among users, thus compromising accountability. Unlike with passwords, however, since possession of the token is necessary to enter the system, only one user at the time is able to enter the system. Memory cards are very simple and do not have any processing power. They cannot therefore perform any check on the PIN or encrypt it for transmission. This requires sending the PIN to the authentication server in the clear, exposing the PIN to sniffing attacks and requiring trust in the authentication server. ATM (automatic teller machine) cards are provided with processing power that allows the checking and encrypting of the PIN before its transmission to the authentication server.

In token devices provided with processing capabilities, authentication is generally based on a challenge-response handshake. The authentication server generates a challenge that is keyed into the token by the user. The token computes a response by applying a cryptographic algorithm to the secret key, the PIN, and the challenge and returns it to the user, who enters this response into the workstation interfacing the authentication server. In some cases the workstation can directly interface the token, thus eliminating the need for the user to type in the challenge and the response. Smart cards are sophisticated token devices that have both processing power and direct connection to the system. Each smart card has a unique private key stored within. To authenticate the user to the system, the smart card verifies the PIN. It then enciphers the user's identifier, the PIN, and additional information like date and time, and sends the resulting ciphertext to the authentication server. Authentication succeeds if the authentication server can decipher the message properly.

Authentication Based on Personal Characteristics

Authentication techniques in this category establish the identity of users on the basis of their biometric characteristics. Biometric techniques can use physical or behavioral characteristics, or a combination of them. Physical characteristics are, for example, the retina, the fingerprint, and the palmprint. Behavioral characteristics include handwriting, voiceprint, and keystroke dynamics (37). Biometric techniques require a first phase in which the characteristic is measured. This phase, also called enrollment, generally comprises of several measurements of the characteristic. On the basis of the different measurements, a template is computed and stored at the authentication server. Users' identity is established by comparing their characteristics with the stored templates. It is important to note that, unlike passwords, biometric methods are not exact. A password entered by a user either matches the one stored at the authentication server or it does not. A biometric characteristic instead cannot be required to exactly match the stored template. The authentication result is therefore based on how closely the characteristic matches the stored template. The acceptable difference must be determined in such a way that the method provides a high rate of successes (i.e., it correctly authenticates legitimate users and rejects attackers) and a low rate of unsuccesses. Unsuccesses can either deny access to legitimate users or allow accesses that should be rejected. Biometric techniques, being based on personal characteristics of the users, do not suffer of the weaknesses discusses above for password or token-based authentication. However, they require high-level and expensive technology, and they may be less accurate. Moreover techniques based on physical characteristics are often not well accepted by users because of their intrusive nature. For instance, retinal scanners, which are one of the most accurate biometric method of authentication, have raised concerns about possible harms that the infrared beams sent to the eye by the scanner can cause. Measurements of other characteristics, such as fingerprint or keystroke dynamics, have instead raised concerns about the privacy of the users.

3. ACCESS CONTROL

 

Once users are connected to the system, they can require access to its resources and stored data. The enforcement of an access control allows the evaluation of such requests and the determination of whether each request should be granted or denied. In discussing access control, it is generally useful to distinguish between policies and mechanisms. Policies are high-level guidelines that determine how accesses are controlled and access decisions determined. Mechanisms are low-level software and hardware functions implementing the policies. There are several advantages in abstracting policies from their implementation. First, it is possible to compare different policies and evaluate their properties without worrying about how they are actually implemented. Second, it is possible to devise mechanisms that enforce different policies so that a change of policy does not necessarily require changing the whole implementation. Third, it is possible to devise mechanisms that can enforce multiple policies at the same time, thus allowing users to choose the policy that best suits their needs when stating protection requirements on their data (22,28,29,46,50). The definition and formalization of a set of policies specifying the working of the access control system, providing thus an abstraction of the control mechanism, is called a model. A main classification of access control policies distinguishes between discretionary and mandatory policies (and models).

Discretionary Access Control Policies

Discretionary access control policies govern the access of users to the system on the basis of the user's identity and of rules, called authorizations, that specify for each user (or group of users) the types of accesses the user can/cannot exercise on each object. The objects to which access can be requested, and on which authorizations can be specified, may depend on the specific data model considered and on the desired granularity of access control. For instance, in operating systems, objects can be files, directories, programs. In relational databases, objects can be databases, relations, views, and, possibly tuples or attributes within a relations. In object-oriented databases objects include classes, instances, and methods. Accesses executable on the objects, or on which authorizations can be specified, may correspond to primitive operations like read, write, and execute, or to higher level operations or applications. For instance, in a bank organization, operations like debit, credit, inquiry, and extinguish can be defined on objects of types accounts.

Policies in this class are called discretionary because they allow users to specify authorizations. Hence the accesses to be or not to be allowed are at the discretion of the users. An authorization in its basic form is a triple user, object, mode stating that the user can exercise the access mode on the object. Authorizations of this form represent permission of accesses. Each request is controlled against the authorizations and allowed only if a triple authorizing it exists. This kind of policy is also called closed policy, since only accesses for which an explicit authorization is given are allowed, while the default decision is to deny access. In an open policy, instead, (negative) authorizations specify the accesses that should not be allowed. All access requests for which no negative authorizations are specified are allowed by default. Most system supports the closed policy. The open policy can be applied in systems with limited protection requirements, where most accesses are to be allowed and the specification of negative authorizations results therefore more convenient.

Specification of authorizations for each single user, each single access mode, and each single object can become quite an administrative burden. By grouping users, modes, and objects, it is possible to specify authorizations holding for a group of users, a collection of access modes, and/or a set of objects (3,33,28,48). This grouping can be user defined or derived from the data definition or organization. For instance, object grouping can be based on the type of objects (e.g., files, directories, executable programs), on the application/activity in which they are used (e.g., ps-files, tex-files, dvi-files, ascii), on data model concepts (e.g., in object-oriented systems a group can be defined corresponding to a class and grouping all its instances), or on other classifications defined by users. Groups of users generally reflect the structure of the organization. For instance, example of groups can be employee, staff, researchers, or consultants