Perimeter
11/9/2012
03:01 PM
Gunnar Peterson
Gunnar Peterson
Commentary
50%
50%

Puzzle Logic

Authentication is an enduring mystery, but solving authorization puzzles may be a better use of your security resources

Access control is all about who are you and what you are allowed to do. As it turns out, one of those questions is easy to reliably answer, and the other basically impossible. Malcolm Gladwell wrote on the difference between puzzles and mysteries:

"The national-security expert Gregory Treverton has famously made a distinction between puzzles and mysteries. Osama bin Laden’s whereabouts are a puzzle. We can’t find him because we don’t have enough information. The key to the puzzle will probably come from someone close to bin Laden, and until we can find that source bin Laden will remain at large.

The problem of what would happen in Iraq after the toppling of Saddam Hussein was, by contrast, a mystery. It wasn’t a question that had a simple, factual answer. Mysteries require judgments and the assessment of uncertainty, and the hard part is not that we have too little information but that we have too much. The C.I.A. had a position on what a post-invasion Iraq would look like, and so did the Pentagon and the State Department and Colin Powell and Dick Cheney and any number of political scientists and journalists and think-tank fellows. For that matter, so did every cabdriver in Baghdad."

In access control, we try to solve the "who are you" question with authentication and the "what are you allowed to do" question with authorization. However, the authentication process is really just an attempt to solve a mystery: We try to stitch together some details and guess whether the person on the other end of the http connection matches the record in the user directory. This cannot be done reliably or cost-effectively. Consider this list of 25 different authentication contexts supported by SAML (PDF) alone:

  • IP
  • IP Password
  • Kerberos
  • Mobile One Factor Unregistered
  • Mobile Two Factor Registered
  • Mobile One Factor Contract
  • Mobile Two Factor Contract
  • Password
  • Password Protected transport
  • Previous Session
  • Public Key X.509
  • Public Key PGP
  • Public Key SPKI
  • Public Key XML Digital Signature
  • Smartcard
  • Smartcard PKI
  • Software PKI
  • Telephony
  • Telephony Nomadic
  • Telephony Personalized
  • Telephony Authenticated
  • Secure remote password
  • SSL/TLS Client Authentication
  • Time Sync Token
  • Unspecified

That's a lot of guesswork! The Infosec community, which has been underfunded since its inception, has come up with dozens of ways to guess at who a user is. It's an important problem, no doubt, but one seemingly without an answer.

Meanwhile, investment in authorization (solving puzzles) has languished. Sure, we have advanced from access-control lists to role-based access control, and some leading-edge companies are looking at attribute-based access control and standards like XACML. Still, the resources devoted to attempts at illuminating authentication mysteries dwarf solving authorization puzzles.

The basic function of an authorization decision maps the subject user requesting access to a policy governing what type, if any, access they have to the resource and under what conditions. It's fair to point out that the authorization decision can never be stronger than the initial authentication step -- if your authentication is spoofed, all bets are off -- but even though authorization can't be stronger than authentication, it can be weaker!

This matters because while both authentication failures and authorization failures lead to vulnerabilities, authentication vulnerabilities can only be reduced (by more accurate guessing), authorization vulnerabilities can be removed, zeroed out. Yet authorization vulnerabilities persist, and so whole classes of bugs, like Cross Site Request Forgery, live on and will until more resources are devoted to solving puzzles.

Improving authentication is about improving the quality of guesses. Authentication isn't perfect, but does SAML need a 26th or 27th different type of authentication context? In contrast, wouldn't it make more sense to work with what we have and ensure the scope, granularity, and coverage of our authorization are properly fitted to the resources we need to protect?

Gunnar Peterson is a Managing Principal at Arctec Group

Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.