Lecture 19 Notes
by Stacy Nease, Bryan Parker and Alexander Kim
Access Control Mechanisms
Access Control List (ACL)
ACL uses a mapping from users (principals) to rights which apply to objects.
Examples of Rights:
- a principal can read an object
- a principal can write an object
- a principal can list an object
- a principal can change ACL for an object
Examples of Objects:
- processes
- threads
- files
- directories
The more objects a system has, the more rights it will need. This means more policies will have to be implemented.
The more flexible a system is, the harder it will be to manage the policies of that system.
Example of ACL use:
- We have a file /g/grades.txt
- Only the user Eddie is allowed to read or write this file
We want the ACL to give us these results:
ACL(eddie, "/g/grades.txt") = {READ, WRITE}
ACL(christina, "/g/grades.txt") = { } //empty set
//the words in braces are the rights that user has for the object "/g/grades.txt"
In this example the user eddie should be able to Read and Write to /g/grades.txt without any problems, but the user christina shouldn't be able to modify the file at all.
Unix Principals
Example of ACL use in which every principal has a different set of rights:
| User name | Rights |
|---|---|
| eddie | RW |
| eddie2 | W |
| eddie3 | RWX |
| eddie4 | X |
- Advantages: very flexible
- Disadvantages:
- requres unbounded space
- new users have no rights
Example of ACL use with user and group IDs:
- Each object has:
- User ID (Uobj)
- Group ID (Gobj)
- Each object has three sets of rights:
- User rights (Ruser)
- Group rights (Rgroup)
- Other rights (Rother)
Psuedo code for ACL:
ACL(U, OBJ) =
if U = U(obj), then use R(user) rights
else if U is in U(group), then use R(group) rights
else, use R(other) rights
- Advantages:
- more bounded space
- somewhat flexible
Say we want to see the rights each group has:
$ ls -la /g drwxrwxr-x eddie CS111 . -rw-r--r-- eddie CS111 grades.txt
- The first column is the list of rights. Within this listing:
- The first character is the File Type.
- The next three are User's Rights (Ruser)
- The next three are Group's Rights (Rgroup)
- The final three are Other Rights (Rother)
- The second column is the user's name
- The third column is the group's name
- The final column is the filename
.
Encryption
Symmetric Encryption
P (plain text), K (key), {P}K (cipher text)
| If we have | Getting | Difficulty |
|---|---|---|
| P,K | {P}K | easy |
| {P}K,K | P | easy |
| P | {P}K | hard |
| {P}K | P | hard |
Example: Authenticate Alice's log in to Bob's computer
KA known to both A and B, but nobody else
A=>B: {Alice}KAlice
B=>A: Ok
but if there is an eavesdropper, Eve (replay attack)...
E=>B: {Alice}KAlice
B=>E: Ok
There is no integrity, since we dont know if Alice is really the person sending the data.
So, what if we have B send A a nonce (object used once to guarantee freshness) to encrypt (to verify that A does in fact have the key)?
A=>B: Hi Alice
B=>A: Nonce
A=>B: {Nonce}KAlice
B=>A: Ok
but if we have a person in the middle, Lucifer...
L=>B: request(Alice's address)
this is possible since the data sent after the intial check is not encrypted.
Asymmetric Encryption
P (plain text), Kpub (public key), Kpriv (private key)
| If we have | Getting | Difficulty |
|---|---|---|
| P,Kpub | {P}Kpub | easy |
| {P}Kpub,Kpriv | P | easy |
| {P}Kpub,Kpub | P | hard |
| P,Kpriv | {P}Kpriv | easy |
| {P}Kpriv,Kpub | P | easy |
Example: Authenticate Alice to Bob's computer (part 2)
Alice knows: KApub, KApriv, KBpub
Bob knows: KBpub, KBpriv, KApub
A=>B: {Nonce1, Alice}KBpub
B=>A: {Nonce1, Nonce2}KApub
A=>B: {Nonce2, Ksession}KBpub
The intial encryption is expensive, but using Ksession is cheaper (and therefore easier to break).
