Perimeter
11/9/2012
03:01 PM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Puzzle Logic

Authentication is an enduring mystery, but solving authorization puzzles may be a better use of your security resources

Access control is all about who are you and what you are allowed to do. As it turns out, one of those questions is easy to reliably answer, and the other basically impossible. Malcolm Gladwell wrote on the difference between puzzles and mysteries:

"The national-security expert Gregory Treverton has famously made a distinction between puzzles and mysteries. Osama bin Laden’s whereabouts are a puzzle. We can’t find him because we don’t have enough information. The key to the puzzle will probably come from someone close to bin Laden, and until we can find that source bin Laden will remain at large.

The problem of what would happen in Iraq after the toppling of Saddam Hussein was, by contrast, a mystery. It wasn’t a question that had a simple, factual answer. Mysteries require judgments and the assessment of uncertainty, and the hard part is not that we have too little information but that we have too much. The C.I.A. had a position on what a post-invasion Iraq would look like, and so did the Pentagon and the State Department and Colin Powell and Dick Cheney and any number of political scientists and journalists and think-tank fellows. For that matter, so did every cabdriver in Baghdad."

In access control, we try to solve the "who are you" question with authentication and the "what are you allowed to do" question with authorization. However, the authentication process is really just an attempt to solve a mystery: We try to stitch together some details and guess whether the person on the other end of the http connection matches the record in the user directory. This cannot be done reliably or cost-effectively. Consider this list of 25 different authentication contexts supported by SAML (PDF) alone:

  • IP
  • IP Password
  • Kerberos
  • Mobile One Factor Unregistered
  • Mobile Two Factor Registered
  • Mobile One Factor Contract
  • Mobile Two Factor Contract
  • Password
  • Password Protected transport
  • Previous Session
  • Public Key X.509
  • Public Key PGP
  • Public Key SPKI
  • Public Key XML Digital Signature
  • Smartcard
  • Smartcard PKI
  • Software PKI
  • Telephony
  • Telephony Nomadic
  • Telephony Personalized
  • Telephony Authenticated
  • Secure remote password
  • SSL/TLS Client Authentication
  • Time Sync Token
  • Unspecified

That's a lot of guesswork! The Infosec community, which has been underfunded since its inception, has come up with dozens of ways to guess at who a user is. It's an important problem, no doubt, but one seemingly without an answer.

Meanwhile, investment in authorization (solving puzzles) has languished. Sure, we have advanced from access-control lists to role-based access control, and some leading-edge companies are looking at attribute-based access control and standards like XACML. Still, the resources devoted to attempts at illuminating authentication mysteries dwarf solving authorization puzzles.

The basic function of an authorization decision maps the subject user requesting access to a policy governing what type, if any, access they have to the resource and under what conditions. It's fair to point out that the authorization decision can never be stronger than the initial authentication step -- if your authentication is spoofed, all bets are off -- but even though authorization can't be stronger than authentication, it can be weaker!

This matters because while both authentication failures and authorization failures lead to vulnerabilities, authentication vulnerabilities can only be reduced (by more accurate guessing), authorization vulnerabilities can be removed, zeroed out. Yet authorization vulnerabilities persist, and so whole classes of bugs, like Cross Site Request Forgery, live on and will until more resources are devoted to solving puzzles.

Improving authentication is about improving the quality of guesses. Authentication isn't perfect, but does SAML need a 26th or 27th different type of authentication context? In contrast, wouldn't it make more sense to work with what we have and ensure the scope, granularity, and coverage of our authorization are properly fitted to the resources we need to protect?

Gunnar Peterson is a Managing Principal at Arctec Group

Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web