Access control is a method of limiting and allowing access to resources in some way. It is a protection measure against unauthorized use of system resources. By limiting access to files and other resources, it can prevent illegal users from invading or legitimate users from damaging improper operations, so as to ensure the legitimate use of information system resources. Access control technology can automatically and effectively prevent illegal access or improper use of system resources by controlling computer systems, detect some security violations, and support the security requirements of applications and data. Access control technology cannot replace identity authentication, it is built on the basis of identity authentication.
Access control technology includes the following aspects:
(1) User identification and authentication
User identification and authentication is a kind of access control technology based on users. It is a conventional technical measure to prevent unauthorized users from entering the system. User id Is used to declare the identity of a user to the system. A user ID should generally be unique, and the most common form of this is a user ID. The system must adopt a policy to maintain all user ids. There are three authentication methods to verify the validity and authenticity of user ids. One is the secret information of users, such as passwords, keys, and PIN codes. The second is the user’s personal possession of specific items with authentication information, such as magnetic cards, IC cards, etc.; Third, the specific physiological and biological characteristics of the user, such as voice, fingerprint, etc. In the same system, one authentication method can be used independently or multiple authentication methods can be used jointly.
(2) Logical access control
Logical access control (LCA) is a system – based access control technology used to control the access of specific users to specific resources. In general, users are divided into different groups and granted different access permissions to achieve logical access control over users, preventing users from accessing resources that they do not need to access or access irrelevant to their work.
(3) Audit and tracking
Audit and track one or more operating records of the system. After an event occurs, investigate the event, analyze its time, cause, activity content, related events caused, users involved, etc.
(4) Public access control
If an application system is open to the public and allows the public to access, the main threat is anonymous attack from the outside. Access control and other measures must be taken to protect the integrity of system data and the confidentiality of sensitive information.
Identity authentication technology
Identity authentication is to verify the validity and authenticity of users in the system.
1.1 Password Authentication Mode
To use password authentication, a user must have a unique system ID and ensure that the password is secure in the system use and storage process, and the password cannot be stolen or replaced during transmission. In addition, it should be noted that before authentication, the user must confirm the authenticator’s real identity, in order to prevent the password to impersonate the authenticator.
The one-way authentication process using password is generally as follows: establish a secure connection between the request authenticator and the authenticator, and confirm the authenticator’s identity, etc. Then the request authenticator sends the authentication request to the authenticator, the authentication request must include the ID and password of the request authenticator; The authenticator accepts the ID and password and finds the requested ID and password in the user database. Find if there is this user and compare the two passwords are the same; Finally, the authentication result is sent back to the requester. If the requesting authenticator’s ID is in the authenticator’s user database and the password sent by the requesting authenticator is the same as the corresponding password in the database, the requesting authenticator is allowed to pass authentication.
1.2 Authentication Mode Based on public key signature
The identity authentication of the public-key signature algorithm is realized by the digital signature of a random number between the requestor and the authenticator (for bidirectional authentication, the requestor and the authenticator are each other). In this way, the personal secret information of the authentication parties does not need to be transmitted over the network, thus reducing the risk of password leakage and other secret information.
There is a big difference between digital signature authentication and password authentication: password authentication usually takes place before the formal data exchange begins. Once the authentication is passed, the two parties establish a secure channel for communication. The subsequent communication is considered secure and identity authentication is no longer required. Digital signature authentication is performed in each request and response, that is, the receiving party authenticates the identity of the sender from the received information first, and processes the received information after the authentication succeeds.
Requirements for identity authentication using public key encryption algorithm: The authenticator must have the function of digital signature with private key. The authenticator must have the function of verifying digital signature with public key. The certifier must have the function of generating random numbers, and the quality of random numbers must meet certain requirements. In identity authentication using public key encryption algorithm, the private key used for digital signature is kept secret by the authenticator who participates in communication, while the public key used for verifying digital signature needs to be distributed in a reliable way. You can use a public key database or a digital certificate issued by a certification authority (for details about certification authorities and digital certificates, see the PKI section).
If a public key database is used to manage the public key, the request authenticator ID is included in the authentication request and sent to the authenticator, who uses the ID to obtain the requesting authenticator’s public key from the public key database. If the public key is managed by issuing a digital certificate, the digital certificate of the authenticator is included in the request and sent to the authenticator. After verifying the digital certificate of the authenticator, the authenticator obtains the public key from the digital certificate.
1.3 Card holding authentication method
Magnetic card was the earliest card holder authentication method. The most important part of a magnetic card is the track, which stores not only data but also the user’s identity. Currently used card is IC card, compared with magnetic card, in addition to its large storage capacity, but also a card multi-purpose, at the same time with high reliability, long life, reading and writing mechanism is simple and reliable, cheap, convenient maintenance, easy to promote and many other advantages.
Because of these advantages, IC cards are widely used around the world. IC cards are generally divided into unencrypted public areas, encrypted data areas, and some have their own operating systems and microprocessors. IC cards have been widely used in identity authentication. General IC cards are used with the user’s personal PIN. In offline systems, the PIN is stored in the card in encrypted form, and the identification device reads the identity information in the IC card, then decrypts the PIN and compares it with the PIN entered by the user to determine whether the IC card holder is legitimate. In the online system, the PIN does not exist in the IC card, but in the host system. During identification, the system compares the PIN entered by the user with the PIN of the host to verify the validity of its identity.
1.4 Authentication method based on human biometrics
This method refers to the use of computers, the inherent physiological or behavioral characteristics of the human body for personal identification. Compared with traditional identification methods, biometric authentication technology has outstanding advantages: first, it will not be forgotten or lost; Two is good anti-counterfeiting performance, can not be forged; Third, it can be used anytime and anywhere.
Can be used to identify the biological characteristics of general have extensive sex, everyone should have this feature), uniqueness, everyone has different characteristics should be), stability (the selected features should not change over time) and can be collected (of the selected features should facilitate acquisition, measurement). At present, the biometric features that can be used for identification mainly include fingerprint, handwriting, face image, infrared temperature, retina, hand shape, palmprint and so on. Because biometric devices are more complex than other authentication devices, they are often used in highly classified situations, such as the military.
Biometric recognition mainly adopts pattern recognition technology. The working mode of identity recognition system is divided into recognition mode and identification mode, and its performance indexes mainly include error rejection rate and error acceptance rate. These parameters need to be carefully considered when choosing this authentication mode.
1.5 Dynamic Password Technology (One-time Password Technology)
In general, the computer passwords used are static, that is, they are relatively constant for a certain period of time and can be used repeatedly. Such passwords can easily be hijacked by sniffer programs in the system and are vulnerable to dictionary-based violence.
Aiming at the defects of this static password authentication method, people put forward a method to generate one-time password by using hash function, that is, the password used by the user is changed every time he logs in the system. A one-time password is a password that changes dynamically due to the operation factor that generates the password. The generation factor of one-time password generally adopts double operation factor: one is the user’s private key, which represents the user’s identification code and is fixed. The second is the variable factor, it is the constant change of the variable factor, can produce the dynamic one-time password.
Dynamic password card is used in the authentication mode of dynamic password technology, which is an intelligent hardware product that is easy to carry. The components and programs built into the card can dynamically calculate the new password by adding other factors to the key in the card. When the password card holder enters the password into the computer, the authentication server in the system will calculate the authentication password corresponding to the password card according to the same algorithm and dynamic factor, and compare the password with the password generated by the password card for identity authentication.
1.6 Authentication Protocols in PPP
Point-to-point Protocol (PPP) provides a standard way to encapsulate network-layer Protocol information over point-to-point links. PPP also defines a scalable link control protocol. Link control protocol Uses the authentication protocol negotiation mechanism to authenticate the peer end of a link before transmitting network layer protocols at the link layer.
PPP consists of the following parts: the method of encapsulating datagrams on a serial link; Establish, configure, and test the Link Control Protocol (LCP) for data Link connections; Establish and configure a set of Network Control Protocols (NCP) for different Network layer protocols. PPP defines two authentication protocols: Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP), There is also Extensible Authentication Protocol (EAP). A typical PPP link establishment process is divided into three phases: creation phase, authentication phase, and network layer negotiation phase.
(1) Creation stage
At this stage, the basic mode of communication will be selected. The two devices send configuration information to each other through LCP to establish a link. During link creation, only authentication protocols are selected, and user authentication is implemented in the authentication phase.
(2) Certification stage
At this stage, the client sends its identity to the remote access server. This phase uses a secure authentication method to prevent a third party from stealing data or impersonating a remote client to take over the connection to the client. If the authentication succeeds, the system switches to the network layer negotiation phase. If the authentication fails, the link is terminated.
(3) Network layer negotiation stage
After the authentication phase is complete, PPP invokes the various NCP negotiation high-level protocol issues selected during the link creation phase, for example, where IP control protocol can assign dynamic addresses to incoming users. Thus, after three phases, a complete PPP link is established.
The most common authentication protocols are PAP and CHAP, and EAP.
(1) the PAP
PAP is a simple plaintext authentication method. The network access server requires users to provide user names and passwords. PAP returns user information in plaintext and provides no protection against loopback, repeated authentication, and error attacks. Obviously, the security of this authentication method is poor. The third party can easily obtain the transmitted user name and password, and use this information to establish a connection with the network access server to obtain the resources provided by the network access server. Therefore, PAP does not protect users from third-party attacks once their passwords are stolen.
(2) the CHAP
CHAP is an encrypted authentication mode that avoids the transmission of plaintext passwords during connection establishment. The network access server sends a challenge password to the remote user that includes the session ID and an arbitrary generated challenge string. The remote client uses the MD5 hash algorithm to return the user name and encrypted challenge password, session ID, and user password. CHAP is an improvement over PAP. Instead of sending plaintext passwords over links, CHAP encrypts the passwords using the hash algorithm. Because the server side holds the plaintext password of the client, the server can repeat the hash operation performed by the client and compare the result with the password returned by the user. CHAP generates a challenge string for each authentication to prevent attacks. During the connection, the CHAP repeatedly sends challenge passwords to the client at random to prevent unauthorized intruders from posing as remote clients.
HAP authentication has the following advantages: (1) CHAP prevents replay attacks through variable challenge passwords and random and repeated challenge passwords. ② The authentication method depends on the shared key between the authenticator and the peer end. The key is not sent over a link. ③ Although the authentication is one-way, CHAP negotiation is carried out in both directions. The same key can be used to implement interactive authentication easily. (4) Because CHAP can be used in many different system authentication, the user name can be used as an index to find the correct key in a large key table. It is also possible to support multiple username-key pairs in a single system, changing keys at any time during a session.
CHAP design requirements:
(1) The CHAP algorithm requires that the key must be at least 1 byte long, which is difficult to guess. The key must be at least the length of the hash code selected by the hash algorithm to ensure that the key is not vulnerable to exhaustive search attacks. The hashing algorithm chosen must ensure that it is computationally infeasible to determine the key from the known challenge password and response value. ② Each challenge password should be unique; otherwise, under the same key, repeated challenge password will enable the attacker to reply with the previously intercepted response value. Because you want the same key to be used for authentication on geographically dispersed servers, the challenge password should be globally temporary unique. ③ Each challenge password should also be unpredictable, otherwise an attacker can trick the other party into responding to an expected challenge password, and then use the response to impersonate the peer spoofing authenticator. Although CHAP does not prevent active wiretapping attacks in real time, it can prevent most active attacks by generating unpredictable challenge passwords.
(3) the EAP
EAP is a universal protocol for PPP authentication and supports multiple authentication methods. The EAP does not specify the authentication method in the link control phase but in the authentication phase so that the authenticator can decide which authentication method to use after receiving more information. This mechanism also allows the PPP authenticator to simply transmit the received authentication information to the rear authentication server, which then implements various authentication methods.
The EAP authentication process is as follows: After the link phase, the authentication sends one or more request packets to the peer end. In the request packet, a type word is used to specify the information type requested by the authenticator. For example, it can be the peer ID, MD5 challenge password, one-time password, or universal password card.
The MD5 challenge password corresponds to the CHALLENGE password of CHAP authentication protocol. Typically, an authenticator sends an ID request packet first and then other request packets. The peer end responds to each request packet with a reply packet. Like the request packet, the reply packet contains a type field corresponding to the type field in the reply request packet. The authenticator sends a success or failure packet to end the authentication process.
EAP has outstanding advantages: it supports multiple authentication mechanisms that do not need to be specified at the connection establishment stage; Some devices, such as network access servers, do not care about the true meaning of each request but act as proxies to directly send authentication packets to the back-end authentication server. The device only needs to know whether the authentication result succeeds or fails and then ends the authentication.
Of course, EAP has some disadvantages: it requires a new authentication protocol to be added to the LCP, so that existing PPPS will have to be modified in order to use EAP. At the same time, using EAP is inconsistent with the existing model of specifying authentication method during LCP negotiation.
1.7 the RADIUS protocol
Remote Authentication Dial-in User Service (RADIUS) is a client/server security Authentication protocol proposed by Lucent. It provides registration and Authentication functions in dial-up networks. It is an official protocol standard for the Internet and is the popular Authentication, Authorization, and Accountion (AAA) protocol.
RADIUS puts the dial-up and authentication functions on two separate servers: the network access server (NAS) and the background authentication server (RADIUS server). A large database of user names and their corresponding authentication information is stored on a RADIUS server to provide authentication of user names and passwords and send configuration service details to users.
RADIUS has the following features: (1) RADIUS uses UDP for transmission, uses port 1812 for authentication, authorizes users after authentication, and uses port 1813 for user accounting. 2 Supports multiple authentication methods. RADIUS supports PAP, CHAP, UNIXLogin, and other authentication methods. (3) Authentication Forwarding is supported. A RADIUS server can request Authentication from another RADIUS server as a client. This is called Authentication Forwarding. (4) The protocol has good scalability. The RADIUS protocol can be further extended by using variable length attribute strings in the protocol. ⑤ Authentication information is encrypted transmission, high security. Authentication information transmitted between the RADIUS server and access server is encrypted with a preset password to prevent sensitive information from being leaked.
The RADIUS authentication process is as follows: (1) The access server obtains the user name and password (PAP password or CHAP password) from the user, and sends a RADIUS authentication request packet together with other user information (such as calling number, access number, and occupied port) to the RADIUS server for authentication. ② After receiving an authentication request packet, the RADIUS server checks whether the access server is registered and authenticates the user based on the user name and password. If the user is invalid, an access denial packet is sent to the access server. If the user is valid, the RADIUS server sends an access acceptance packet to the access server based on the user configuration information, such as the user type, IP address, connection protocol, port information, and ACL authorization. ③ When receiving an access accept/reject packet, the access server checks whether the signature in the packet is correct. If the signature is incorrect, the access server considers that it has received an invalid packet. After the signature is verified, the access server accepts the Internet access request from the user and uses the received authorization information to configure and authorize the user to restrict the user’s access to resources. If an access denial packet is received, the user’s Internet access request is rejected.
(4) After a user successfully logs in to the RADIUS server, the access server sends an accounting packet to the RADIUS server, including the connection type and protocol used by the user and other customized accounting information. When a user is disconnected, the access server sends a billing packet to the RADIUS server to notify the RADIUS server to stop billing the user. The RADIUS server charges the account to the user based on the user Settings according to the received account packet.
2 Access control technology
Based on identity authentication, access control restricts access requests of users with different identities. Authentication is concerned with the question of who you are and do you have the identity you claim to have; Access control is about what you can and can’t do. In the process of access control, the party issuing the access request, such as user, program, process, etc., is generally called the subject; Objects and resources that are accessed, such as files, databases, devices, memory areas, etc., are called objects.
In addition, there is a set of rules that define the relationship between subjects and objects and determine the access ability and authority of different subjects to different objects, called access rules. A complete access control system is composed of the above three aspects.
2.1 Access Control Policies
Access control policies can be divided into three categories: Discretionary Access Control (DAC), Mandatory Access Control (MAC) Role Based Access Control (RBAC). Among them, DAC and MAC belong to the traditional access control strategy, while RBAC is a kind of access control strategy emerged later, which is considered to have great advantages and has a good development prospect.
(1) the DAC
Discretionary access control is one of the computer system to realize the most access control mechanism, it can make the subject independently configured to determine what the body of the other can take some access to its own resources, that is, a main body with a certain competence can directly or indirectly to the permissions granted to the body of the other. Common operating systems such as Windows and UNIX implement access control by autonomous access control policies.
In this way, a user (usually the owner or super administrator of a file or resource) specifies the permission and access mode for other users of different types and groups to access the resources under its name.
In an independent access control policy, users can determine the access permissions of other users to certain resources in the system. Although this is convenient, it is difficult to ensure that this type of authorization is secure for the entire system. First, users often do not know or it is difficult to determine whether other users are suitable to have access to certain resources. Secondly, if not all users have a strong sense of security, may arbitrarily authorize, so this is a potential threat to system security; Thirdly, users themselves decide the allocation of access rights, which is not conducive to the implementation of a unified global access control system administrators;
In addition, many organizations often want the authorization and control structure for information systems to be consistent with the administrative structure of the organization. In short, an autonomous access control strategy can easily make the system out of control and leave an opportunity for illegal intruders. Therefore, the security of autonomous access control policies is not very high. With the expansion of network scale, users have higher requirements on the quality of access control services. It is difficult to meet the needs of a system with high security requirements by using independent access control policies.
(2) the MAC
Mandatory access control is the policy of granting and revoking certain access permissions uniformly, and it forces all subjects to obey the assignment of access permissions. MAC is generally used in military and security applications with multiple security levels. It divides all subjects and objects accepted in the system into several levels in advance according to the degree of trust, the position and task they are in, the sensitivity of information, and the stage of time development. For example, information can be divided into different levels such as top secret, confidential, secret and non-secret. Then the access mode is decided according to the level mark of the subject and object. Any user’s access request to any object is controlled by the division of the security level and the corresponding permission configuration. Forced access control can control the security of the system well, but it is troublesome to manage, has a lot of work and is not flexible enough.
(3) the RBAC
Both DAC and MAC access control strategies have their own characteristics, but also have their own disadvantages. Role-based access control can overcome the disadvantages of the above two and provide a good and secure system environment, so it is a very effective access control strategy in enterprise-oriented systems.
In DAC systems, there is a common situation where the end user can use some resources in an organization, but it is not the owner of the resource. The owner of the resource is the organization or all users in the organization. In this case, access rights should be set and assigned based on the role of the user, not the owner of the resource. For example, in a library, permissions should be assigned and set according to different roles such as whether a user is a distributor, document cataloger, or branch library administrator. If it is a document cataloguing staff, then he can only have the permission to view the books in circulation in the system, and have relatively high access to the books and other resources that have not been collected; If he is the administrator of a branch library, he has correspondingly high access to the readers, literature, and other resources of the branch library, but not to other users.
In other words, the access rights of a user are not directly determined by the user himself, but by the role he belongs to. The kinds of roles and access by the system administrator to define and each member belongs to what kind of role also stipulated by the system administrator, that only the system administrator shall have the right to define and assign roles, and for users to this a series of rules in the system, not have independent configuration, so this is a kind of independent access control policy.
2.2 Authorization of Access Permission
(1) Grade type
The ability to modify access control permissions of objects is divided into different levels, and subjects with higher level of modification ability can assign such permissions to subjects lower than their level. And so on, the authorization relationship of access permission is formed into a tree structure. For example, the super administrator, as the root of the hierarchy tree, could have the ability to modify the access control tables of all objects and assign such modification to any principal. The system administrator divides the users into several subsets according to the department, and grants the corresponding access control rights to the department leader to modify the right and the right to modify the right. The heads of departments can delegate their own power in the same way. The advantage of this approach is that the tree structure is similar to the actual organizational structure, and the leader can control and manage users at all levels according to the authorization of daily work needs. However, this approach also has a disadvantage, is for the same object, there may be multiple subjects have the ability to modify their access control permissions.
(2) Possessive
This type of each object has an owner (normally is the founder of the object), the owner has to have all the object of control, and can be arbitrary change has the object of access control lists, and can be granted or revoked for other subject to the object of any kind of access. But the owner does not have the right to delegate its access control right to other subjects. Authorization control is done in this way on UNIX systems.
(3) Free type
The characteristic of the free type is that the owner of an object can grant any subject access to the object he owns, and can also grant this distribution right to other subjects without any restriction. In this way, the subject who has obtained such authorization can grant such distribution rights to more subjects without being restricted by the owner of the object. This makes it difficult to control access to objects once the allocation of access control is granted. Obviously, this is not safe and is rarely used in general systems.
