Perimeter
11/9/2012
03:01 PM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Puzzle Logic

Authentication is an enduring mystery, but solving authorization puzzles may be a better use of your security resources

Access control is all about who are you and what you are allowed to do. As it turns out, one of those questions is easy to reliably answer, and the other basically impossible. Malcolm Gladwell wrote on the difference between puzzles and mysteries:

"The national-security expert Gregory Treverton has famously made a distinction between puzzles and mysteries. Osama bin Laden’s whereabouts are a puzzle. We can’t find him because we don’t have enough information. The key to the puzzle will probably come from someone close to bin Laden, and until we can find that source bin Laden will remain at large.

The problem of what would happen in Iraq after the toppling of Saddam Hussein was, by contrast, a mystery. It wasn’t a question that had a simple, factual answer. Mysteries require judgments and the assessment of uncertainty, and the hard part is not that we have too little information but that we have too much. The C.I.A. had a position on what a post-invasion Iraq would look like, and so did the Pentagon and the State Department and Colin Powell and Dick Cheney and any number of political scientists and journalists and think-tank fellows. For that matter, so did every cabdriver in Baghdad."

In access control, we try to solve the "who are you" question with authentication and the "what are you allowed to do" question with authorization. However, the authentication process is really just an attempt to solve a mystery: We try to stitch together some details and guess whether the person on the other end of the http connection matches the record in the user directory. This cannot be done reliably or cost-effectively. Consider this list of 25 different authentication contexts supported by SAML (PDF) alone:

  • IP
  • IP Password
  • Kerberos
  • Mobile One Factor Unregistered
  • Mobile Two Factor Registered
  • Mobile One Factor Contract
  • Mobile Two Factor Contract
  • Password
  • Password Protected transport
  • Previous Session
  • Public Key X.509
  • Public Key PGP
  • Public Key SPKI
  • Public Key XML Digital Signature
  • Smartcard
  • Smartcard PKI
  • Software PKI
  • Telephony
  • Telephony Nomadic
  • Telephony Personalized
  • Telephony Authenticated
  • Secure remote password
  • SSL/TLS Client Authentication
  • Time Sync Token
  • Unspecified

That's a lot of guesswork! The Infosec community, which has been underfunded since its inception, has come up with dozens of ways to guess at who a user is. It's an important problem, no doubt, but one seemingly without an answer.

Meanwhile, investment in authorization (solving puzzles) has languished. Sure, we have advanced from access-control lists to role-based access control, and some leading-edge companies are looking at attribute-based access control and standards like XACML. Still, the resources devoted to attempts at illuminating authentication mysteries dwarf solving authorization puzzles.

The basic function of an authorization decision maps the subject user requesting access to a policy governing what type, if any, access they have to the resource and under what conditions. It's fair to point out that the authorization decision can never be stronger than the initial authentication step -- if your authentication is spoofed, all bets are off -- but even though authorization can't be stronger than authentication, it can be weaker!

This matters because while both authentication failures and authorization failures lead to vulnerabilities, authentication vulnerabilities can only be reduced (by more accurate guessing), authorization vulnerabilities can be removed, zeroed out. Yet authorization vulnerabilities persist, and so whole classes of bugs, like Cross Site Request Forgery, live on and will until more resources are devoted to solving puzzles.

Improving authentication is about improving the quality of guesses. Authentication isn't perfect, but does SAML need a 26th or 27th different type of authentication context? In contrast, wouldn't it make more sense to work with what we have and ensure the scope, granularity, and coverage of our authorization are properly fitted to the resources we need to protect?

Gunnar Peterson is a Managing Principal at Arctec Group

Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.