Access control is a method of restricting and allowing access to resources and scope through some means. It is a protective measure against unauthorized use of system resources. By restricting access to files and other resources, it prevents the intrusion of illegal users or the damage caused by the improper operation of legitimate users, thereby ensuring the legal use of information system resources. Access control technology can automatically and effectively prevent illegal access or improper use of system resources by controlling the computer system, detect some security violations, and support the security requirements of applications and data. Access control technology cannot replace identity authentication, it is built on the basis of identity authentication.
Access control technology includes the following aspects:
(1) User identification and authentication
User identification and authentication is a user-based access control technology, which is a conventional technical measure to prevent unauthorized users from entering the system. The user ID is used to declare the user's identity to the system. The user ID should generally be unique, and its most common form is the user ID. The system must adopt certain strategies to maintain all user identities. To verify the validity and authenticity of a user ID, there are usually three types of authentication methods: one is the secret information held by the user, such as password, key, PIN code, etc.; the other is the user’s personal information with authentication information. Specific items, such as magnetic cards, IC cards, etc.; third, specific physiological and biological characteristics of the user, such as voice, fingerprints, etc. In the same system, one authentication method can be used alone, or multiple authentication methods can be combined.
(2) Logical access control
Logical access control is a system-based access control technology used to control specific users' access to specific resources. Usually, users are divided into different groups, and then different access rights are granted to the groups to implement logical access control to the users, and prevent users from accessing resources that he does not need to access, or performing non-work related access.
(3) Audit and follow-up
Audit and track one or more operating records of the system, investigate the incident after the incident, analyze its time, cause, activity content, related incidents triggered, and users involved.
(4) Public access control
If an application system is open to the public and the public is allowed to access it, the main threat it faces is an anonymous attack from the outside, and measures such as access control must be taken to protect the integrity of system data and the confidentiality of sensitive information.
1 Identity authentication technology
Identity authentication is to verify the validity and authenticity of system users.
1.1 Password authentication method
To use password authentication, the user must have a unique system identification, and ensure that the password is safe during the use and storage of the system, and the password cannot be stolen or replaced during transmission. In addition, it is important to note that before authentication, the user must confirm the authenticator's real identity to prevent the password from being sent to the fake authenticator.
The one-way identity authentication process using a password is generally: request the authenticator and the authenticator to establish a secure connection, and confirm the authenticator's identity; then request the authenticator to send an authentication request to the authenticator, the authentication request must include the requesting authenticator ID and password; the authenticator accepts the ID and password, finds the ID and password requested for authentication in the user database; looks for the user and compares whether the two passwords are the same; finally sends back the authentication result to the requesting authenticator. If the ID of the requesting authenticator is in the authenticator's user database, and the password sent by the requesting authenticator is the same as the corresponding password in the database, the requesting authenticator is allowed to pass the authentication.
1.2 Authentication method based on public key signature
The identity authentication method of the public key signature algorithm is to do digital signature and verification digital signature for a random number between the requesting authenticator and the authenticator (for two-way identity authentication, the two parties are the requesting authenticator and the authenticator). Achieved. In this way, the personal secret information of the authenticated parties does not need to be transmitted on the network, thereby reducing the risk of leakage of secret information such as passwords.
There is a big difference between digital signature technology authentication and password authentication: password authentication is usually carried out before the start of formal data exchange. Once the authentication is passed, the two parties will establish a secure channel for communication. The subsequent communication is considered safe and no identity authentication will be carried out; and the digital signature authentication is carried out in every request and response, that is, the party receiving the information first receives the information The identity information of the sender is verified in the information, and the received information is processed accordingly after the verification is passed.
The use of public key encryption algorithm for identity authentication requires: the requesting authenticator must have the private key to achieve the function of digital signature; the authenticator must have the function of using the public key to verify the digital signature; the authenticator must have the function of generating random numbers, and the function of random numbers The quality must meet certain requirements. The public key encryption algorithm is used for identity authentication, and the private key used for digital signature is kept secret by the authenticator participating in the communication, and the public key used for verifying the digital signature needs to be distributed in a reliable manner. Generally, you can use the public key database method or use the certification authority to issue a digital certificate (for the content of the certification authority and digital certificate, please refer to the PKI section above).
If a public key database is used to manage the public key, the requesting authenticator ID is included in the authentication request and sent to the authenticator, and the authenticator uses the ID to obtain the public key of the requesting authenticator from the public key database. If the public key is managed by a digital certificate issued by a certification authority, the digital certificate of the requesting certifier is included in the certification request and issued to the certifier. After the certifier verifies the digital certificate of the requesting certifier, the certificate of the requesting certifier is obtained from the digital certificate. Public key.
1.3 Card authentication method
The first method of card-holding authentication was a magnetic card. The most important part of the magnetic card is the magnetic track, which not only stores data, but also stores the user's identity information. The card currently used is an IC card. Compared with a magnetic card, in addition to a large storage capacity, it can also be used for multiple purposes. At the same time, it has high reliability, long life, simple and reliable reading and writing mechanism, low cost, convenient maintenance, and easy promotion. And many other advantages.
Due to the above advantages, IC cards are widely used all over the world. The IC card is generally divided into an unencrypted public area, an encrypted data area, etc. Some have their own operating system and microprocessor. IC cards have been widely used in the field of identity authentication. Generally, IC cards are used together with the user's personal PIN. In the offline system, the PIN is stored in the card in an encrypted form. The identification device reads the identity information in the IC card, then decrypts the PIN and compares it with the PIN entered by the user to determine whether the IC card holder is legal. In the online system, the PIN may not exist on the IC card, but in the host system. During authentication, the system compares the PIN entered by the user with the PIN of the host to verify the legitimacy of its identity.
1.4 Authentication method based on human biological characteristics
This method refers to the use of the human body's inherent physiological characteristics or behavioral characteristics for personal identification through a computer. Compared with traditional identification methods, biometric authentication technology has outstanding advantages: first, it will not be forgotten or lost; second, it has good anti-counterfeiting performance and cannot be forged; third, it can be used anytime and anywhere.
The biological characteristics that can be used to identify identity are generally broad (everyone should have this characteristic), uniqueness (the characteristics of each person should be different), and stability (the selected characteristics should not change over time Change) and collectability (the selected features should be easy to collect and measure). At present, the biological characteristics that can be used for identity authentication mainly include fingerprints, handwriting, facial images, infrared temperature, retina, hand shape, palm prints, etc. Since biometric identification equipment is more complex than other identity authentication equipment, it is generally used in very important confidential occasions, such as military.
Biometric recognition mainly uses pattern recognition technology. The working mode of the identity recognition system is divided into recognition mode and authentication mode, and its performance indicators mainly include false rejection rate and false acceptance rate. These parameters need to be carefully considered when choosing this authentication method.
1.5 Dynamic password technology (one-time password technology)
In general, the computer passwords used are static, which means that they are relatively constant within a certain period of time and can be used repeatedly. This kind of password is easily hijacked by sniffing programs in the system, and it is vulnerable to dictionary-based brute force attacks.
In view of the shortcomings of this static password authentication method, people have proposed a method of generating a one-time password using a hash function, that is, the password used by the user changes every time the user logs into the system. A one-time password is a dynamically changing password, and its change comes from the operating factor that generates the password. The generation factor of the one-time password generally adopts double operation factors: one is the user's private key, which represents the identification code of the user's identity and is fixed. The second is the change factor. It is the constant change of the change factor that can produce a dynamic one-time password.
The dynamic password password card is used in the dynamic password technology authentication method, which is an intelligent hardware product that is easy to carry. The built-in components and programs of the password card can dynamically calculate a new password through the key in the password card plus other factors. When the password card holder enters the password into the computer, the authentication server in the system will calculate the authentication password corresponding to the password card based on the same algorithm and dynamic factors, and compare this password with the password generated by the password card. Perform identity authentication.
1.6 Authentication protocol in PPP
Point-to-Point Protocol (PPP) provides a standard method for encapsulating network layer protocol information on point-to-point links. PPP also defines an extensible link control protocol. The link control protocol uses a verification protocol negotiation mechanism to verify the opposite end of the link before transmitting the network layer protocol on the link layer.
PPP includes the following parts: a method of encapsulating datagrams on a serial link; a link control protocol (Link Control Protocol, LCP) for establishing, configuring, and testing data link connections; establishing and configuring one of different network layer protocols Group Network Control Protocol (Network Control Protocol, NCP). The PPP protocol defines two authentication protocols: Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (Challenge-Handshake Authentication Protocol, CHAP), in addition to the Extensible Authentication Protocol (EAP). A typical PPP link establishment process is divided into three stages: the establishment stage, the authentication stage and the network layer negotiation stage.
(1) Creation stage
At this stage, the basic communication method will be selected. Devices at both ends of the link send configuration information to each other through LCP to establish the link. In the link creation phase, only the verification protocol is selected, and the specific user verification process is implemented in the authentication phase.
(2) Certification stage
At this stage, the client sends its identity to the remote access server. At this stage, a secure authentication method is used to prevent third parties from stealing data or pretending to be remote clients to take over the connection with the client. If the authentication is successful, it will go to the network layer negotiation stage. If the authentication fails, the link is terminated.
(3) Network layer negotiation stage
After the authentication phase is completed, PPP will call various NCPs selected in the link creation phase to negotiate high-level protocol issues. For example, the IP control protocol can assign dynamic addresses to dial-in users at this phase. In this way, after three stages, a complete PPP link is established.
The most commonly used authentication protocols are PAP and CHAP, in addition to EAP.
(1) PAP
PAP is a simple plaintext verification method. The network access server requires the user to provide a user name and password. PAP returns user information in plain text, and there is no protection against loopback or repeated authentication and error attacks. Obviously, the security of this authentication method is poor, and a third party can easily obtain the transmitted user name and password, and use this information to establish a connection with the network access server to obtain the resources provided by the network access server. Therefore, once the user password is stolen by a third party, PAP cannot provide safeguards against third party attacks.
(2) CHAP
CHAP is an encrypted authentication method that can avoid transmitting the user's plain text password when establishing a connection. The network access server sends a challenge password to the remote user, which includes the session ID and a randomly generated challenge string. The remote client uses the MD5 hash algorithm to return the user name and encrypted challenge password, session ID and user password. CHAP improves PAP. Instead of sending a plaintext password directly over the link, it uses a challenge password to encrypt the password with a hash algorithm. Because the client's plaintext password is stored on the server, the server can repeat the hash operation performed by the client and compare the result with the password returned by the user. CHAP arbitrarily generates a challenge string for each authentication to prevent attacks. During the entire connection process, CHAP will randomly repeat the challenge password to the client from time to time, so as to prevent illegal intruders from posing as remote clients to attack.
The HAP authentication method has the following advantages:
① By changing the challenge password and sending the challenge password randomly and repeatedly, CHAP prevents replay attacks.
② This authentication method relies on the key shared by the authenticator and the opposite end, and the key is not sent over the link.
③ Although the authentication is one-way, CHAP negotiation is carried out in both directions, and mutual authentication can be easily realized with the same key.
④ Since CHAP can be used in many different system authentications, the user name can be used as an index to find the correct key in a large key table. In this way, multiple user name-key pairs can be supported in one system, and the keys can be changed at any time during the session.
CHAP design requirements:
① The CHAP algorithm requires that the key length must be at least 1 byte, at least it should not be easy for people to guess. The key is preferably at least the length of the hash code selected by the hash algorithm, so as to ensure that the key is not vulnerable to exhaustive search attack. The chosen hash algorithm must ensure that it is computationally infeasible to determine the key from the known challenge password and response value.
② Each challenge password should be unique, otherwise, under the same key, repeated challenge passwords will enable the attacker to answer the challenge password with the response value intercepted before. Since it is hoped that the same key can be used for authentication of different geographically dispersed servers, the challenge password should be globally and temporarily unique.
③ Each challenge password should also be unpredictable, otherwise the attacker can deceive the other party, let the other party respond to a predicted challenge password, and then use the response to impersonate the peer to deceive the authenticator. Although CHAP cannot prevent real-time active wiretapping attacks, it can prevent most active attacks as long as it can generate unpredictable challenge passwords.
(3) EAP
EAP is a general protocol used for PPP authentication and can support multiple authentication methods. EAP does not specify the authentication method in the link control phase but in the authentication phase, so that the authenticator can decide which authentication method to use after getting more information. This mechanism also allows the PPP authenticator to simply pass the received authentication information to the rear authentication server, and the rear authentication server will truly implement various authentication methods.
The authentication process of EAP is: after the link phase is completed, the authentication sends one or more request messages to the opposite end. There is a type word in the request message to indicate the type of information requested by the authenticating party, for example, it can be the ID of the opposite end, MD5 challenge password, one-time password, and universal password card.
The MD5 challenge password corresponds to the challenge password of the CHAP authentication protocol. Typically, the authenticating party first sends an ID request message and then sends other request messages. The opposite end responds with a reply message to each request message. Like the request message, the response message also contains a type field, which corresponds to the type field in the response request message. The authenticating party then ends the authentication process by sending a success or failure message.
EAP has outstanding advantages: it can support a variety of authentication mechanisms without the need to specify during the connection establishment phase; some devices, such as network access servers, do not need to care about the true meaning of each request message, but act as a proxy The authentication message is directly transmitted to the back-end authentication server, and the device only needs to care about the success or failure of the authentication result, and then ends the authentication phase.
Of course, EAP also has some shortcomings: it needs to add a new authentication protocol to LCP, so that the existing PPP must be modified to use EAP. At the same time, using EAP is also inconsistent with the existing model of specifying authentication methods during the LCP negotiation phase.
1.7 RADIUS protocol
RADIUS (Remote Authentication Dial-in User Service) protocol is a client/server security authentication protocol proposed by Lucent. It can provide registration and authentication functions in dial-up networks. It has become the official protocol standard of the Internet and is currently popular AAA (Authentication, Authorization, Accountion) protocol.
The RADIUS protocol can put the two functions of dial-up and authentication on two separate servers-the network access server (NAS) and the background authentication server (RADIUS server). A large database of user names and their corresponding authentication information is stored on the RADIUS server to provide authentication user names and passwords and send detailed information about configuration services to users.
RADIUS has very prominent features:
① The RADIUS protocol uses UDP for transmission. It uses port 1812 for authentication, and after authentication is passed, it authorizes users, and uses port 1813 for accounting.
② Support multiple authentication methods, RADIUS can support PAP, CHAP, UNIXLogin and other authentication methods;
③ Support authentication forwarding (Authentication Forwarding), a RADIUS server can act as a client of another RADIUS server to request authentication from it, which is called Authentication transfer.
④ The protocol has good scalability, and the RADIUS protocol can be further extended through the variable-length attribute string in the protocol.
⑤ The authentication information is encrypted and transmitted with high security. The authentication information transmitted between the RADIUS server and the access server is encrypted with a preset password to prevent the leakage of sensitive information, so the security is high.
The authentication process of RADIUS is as follows:
① The access server obtains the user name and password (PAP password or CHAP password) from the user, and composes RADIUS with some other information of the user (such as caller number, access number, occupied port, etc.) The authentication request packet is sent to the RADIUS server to request authentication.
② After receiving the authentication request packet, the RADIUS server first checks whether the access server has been registered, and then verifies whether the user is legal based on the user name and password in the request. If the user is illegal, an access denial packet is sent to the access server; if the user is legal, the RADIUS server will combine the user’s configuration information, such as user type, IP address, connection protocol, port information, ACL authorization, etc., to form an access The acceptance packet is sent back to the access server.
③ When the access server receives the access acceptance/rejection package, it must first determine whether the signature in the package is correct. If it is not correct, it will be deemed to have received an illegal package. After verifying the correctness of the signature, if the access acceptance package is received, the access server will accept the user’s Internet request, and use the received authorization information to configure and authorize the user to limit the user’s access to resources; if the received is The access rejection package rejects the user's Internet request.
④ When the user successfully logs in, the access server will send a connection start accounting information packet to the RADIUS server, which includes the connection type, protocol and other custom user accounting information used by the user; when the user disconnects , The access server sends an accounting information packet indicating the end of the connection to the RADIUS server to notify the RADIUS server to stop accounting for the user. The RADIUS server accounts for the user according to the user's settings according to the received accounting information packet.
2 Access control technology
Access control is based on identity authentication and restricts users' access requests based on users with different identities. Identity authentication is concerned with the question of "who you are and do you have the identity you declare"; while access control is concerned with the question of "what you can and can't do". In the process of access control, generally the party that issues access and access requests, such as users, programs, processes, etc., is called the subject; and the accessed objects and resources, such as files, databases, devices, and memory areas, are called subjects. As the object.
In addition, there is a set of rules that define the relationship between the subject and the object, and determine the ability and authority of different subjects to access different objects, called access rules. A complete access control system is composed of the above three aspects.
2.1 Access control strategy
Access control strategies can generally be divided into three categories: Discretionary Access Control (DAC), Mandatory Access Control (Mandatory Access Control, MAC), and Role Based Access Control (RBAC). Among them, DAC and MAC belong to the traditional access control strategy, while RBAC is an access control strategy that appeared later, which is considered to have great advantages and good development prospects.
(1) DAC
Autonomous access control is currently the most widely implemented access control mechanism in computer systems. It allows subjects to configure themselves to determine how other subjects can access some of their resources, that is, a certain authority Subjects can directly or indirectly grant permissions to other subjects. Common operating systems such as Windows and UNIX adopt autonomous access control strategies to implement access control.
The common way is that a certain user (generally the owner or super administrator of a certain file or resource) uses a certain method to specify the access permissions and access methods of other users of different types and groups of resources under their names. .
In an autonomous access control strategy, the user decides the access rights of other users to certain resources in the system. Although this is convenient, it is difficult to ensure that this type of authorization is safe for the entire system. First of all, users often do not know or are difficult to determine whether other users are suitable to have access to certain resources; second, if not all users have a strong sense of security and may be authorized at will, then this is a potential for system security. Thirdly, it is up to the user to decide the distribution of access rights, which is not conducive to the implementation of unified global access control by the system administrator;
In addition, many organizations often hope that the authorization and control structure adopted for the information system can be consistent with the administrative structure of the organization. In short, autonomous access control strategies can easily make the system out of control and leave opportunities for illegal intruders to take advantage of. Therefore, the security of the discretionary access control strategy is not very high. With the expansion of the network scale, users have also put forward higher requirements for the quality of access control services. It is difficult to meet the needs of a system with high security requirements by adopting autonomous access control strategies.
(2) MAC
Mandatory access control is a system that uniformly adopts a strategy of granting and revoking certain access permissions, and it is mandatory that all subjects must obey the assignment of access permissions. MAC is generally used in special applications such as military and security with more security levels. It pre-divides all subjects and objects accepted in the system into several levels according to the degree of trustworthiness, the position and the task undertaken, the sensitivity of information, the stage of time development, etc., for example, information can be divided into top secret and confidential Different levels such as, secret and no secret. Then the access mode is determined according to the level marks of the subject and the object. Any user's access request to any object is controlled by this security level division and corresponding authority configuration. Due to the excessive emphasis on the security performance of the system, the mandatory access control can control the security of the system well, but it is troublesome to manage, has a large workload, and is not flexible enough.
(3) RBAC
Both DAC and MAC access control strategies have their own characteristics, but they also have their shortcomings. The role-based access control can overcome the above two shortcomings while providing a good and secure system environment, so it is a very effective access control strategy in enterprise-oriented systems.
In the DAC system, there is a common situation that in an organization, the end user can use some resources, but it is not the owner of the resource. The owner of the resource is the organization or all users in the organization. At this time, the access authority should be set and assigned based on the user's job title, not based on the resource owner. For example, in a library, permissions should be assigned and set according to different roles such as whether a user is a circulation staff, a document cataloging staff, or a branch manager. If it is a document cataloging staff, then he can only have the right to view the resources such as books circulating in the system, and has a relatively high access right to resources such as books that have not been archived; if it is the administrator of the branch, Then he correspondingly has higher access rights to readers, documents and other resources of the branch, but not to other users.
In other words, what kind of access authority a user has does not directly depend on the user himself, but on the role he belongs to, and what kind of authority he has. The types and access rights of roles are defined by the system administrator. The type of role each member belongs to is also defined by the system administrator. That is, only the system administrator has the right to define and assign roles, and for users only Obey this series of regulations in the system, but cannot have autonomous configuration, so this is a non-autonomous access control strategy.
2.2 Authorization of access permission
(1) Grade type
The ability to modify the access control authority of an object is divided into different levels. Subjects with high-level modification capabilities can assign this authority to subjects with lower levels. By analogy, the authorization relationship of access permissions is formed into a tree structure. For example, the super administrator can be the root of this hierarchical tree, has the ability to modify the access control list of all objects, and can assign this modification right to any subject. The system administrator divides users into multiple subsets according to departments, and grants the department leaders the right to modify the corresponding access control permissions and the right to assign the modification rights. Department leaders can delegate the power they own in the same way. The advantage of this approach is that the tree structure is similar to the actual organization, and the leader can be authorized to control and manage users at all levels according to daily actual work needs. But this method also has a disadvantage, that is, for the same object, there may be multiple subjects with the ability to modify its access control authority.
(2) Ownership
This type has an owner for each object (generally the creator of the object), and the owner has all control rights over the object it owns, and can modify the access control list of the object it owns. , And can grant or revoke any kind of access rights to other subjects. However, the owner has no right to grant other subjects the right to allocate access control rights to the object. In UNIX systems, this method is used for authorization control.
(3) Free type
The characteristic of the free type is that the owner of an object can grant any subject access to the object he owns, and can also grant this distribution right to other subjects without any restriction. In this way, the subject that has obtained this authorization can grant this distribution right to more subjects without being restricted by the owner of the object. In this way, once the distribution right of access control is granted, it is difficult to control access to the object. Obviously, the security is relatively poor, and this method is rarely used in general systems.
