July 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-1Chapter 14: Identity• What is identity• Multiple names for one thing• Different contexts, environments• Pseudonymity and anonymityJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-2Overview• Files and objects• Users, groups, and roles• Certificates and names• Hosts and domains• State and cookies• AnonymityJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-3Identity• Principal: a unique entity• Identity: specifies a principal• Authentication: binding of a principal to arepresentation of identity internal to thesystem– All access, resource allocation decisionsassume binding is correctJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-4Files and Objects• Identity depends on system containingobject• Different names for one object– Human use, eg. file name– Process use, eg. file descriptor or handle– Kernel use, eg. file allocation table entry, inodeJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-5More Names• Different names for one context– Human: aliases, relative vs. absolute pathnames– Kernel: deleting a file identified by name canmean two things:• Delete the object that the name identifies• Delete the name given, and do not delete actualobject until all names have been deleted• Semantics of names may differJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-6Example: Names and Descriptors• Interpretation of UNIX file name– Kernel maps name into an inode using iterativeprocedure– Same name can refer to different objects at differenttimes without being deallocated• Causes race conditions• Interpretation of UNIX file descriptor– Refers to a specific inode– Refers to same inode from creation to deallocationJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-7Example: Different Systems• Object name must encode location orpointer to location– rsh, ssh style: host:object– URLs: protocol://host/object• Need not name actual object– rsh, ssh style may name pointer (link) to actualobject– URL may forward to another hostJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-8Users• Exact representation tied to system• Example: UNIX systems– Login name: used to log in to system• Logging usually uses this name– User identification number (UID): uniqueinteger assigned to user• Kernel uses UID to identify users• One UID per login name, but multiple login namesmay have a common UIDJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-9Multiple Identities• UNIX systems again– Real UID: user identity at login, but changeable– Effective UID: user identity used for access control• Setuid changes effective UID– Saved UID: UID before last change of UID• Used to implement least privilege• Work with privileges, drop them, reclaim them later– Audit/Login UID: user identity used to track originalUID• Cannot be altered; used to tie actions to login identityJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-10Groups• Used to share access privileges• First model: alias for set of principals– Processes assigned to groups– Processes stay in those groups for their lifetime• Second model: principals can changegroups– Rights due to old group discarded; rights dueto new group addedJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-11Roles• Group with membership tied to function– Rights given are consistent with rights needed toperform function• Uses second model of groups• Example: DG/UX– User root does not have administration functionality– System administrator privileges are in sysadmin role– Network administration privileges are in netadmin role– Users can assume either role as neededJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-12Naming and Certificates• Certificates issued to a principal– Principal uniquely identified to avoid confusion• Problem: names may be ambiguous– Does the name “Matt Bishop” refer to:• The author of this book?• A programmer in Australia?• A stock car driver in Muncie, Indiana?• Someone else who was named “Matt Bishop”July 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-13Disambiguating Identity• Include ancillary information in names– Enough to identify principal uniquely– X.509v3 Distinguished Names do this• Example: X.509v3 Distinguished Names– /O=University of California/OU=Daviscampus/OU=Department of ComputerScience/CN=Matt Bishop/refers to the Matt Bishop (CN is common name) in theDepartment of Computer Science (OU isorganizational unit) on the Davis Campus of theUniversity of California (O is organization)July 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-14CAs and Policies• Matt Bishop wants a certificate from Certs-from-Us– How does Certs-from-Us know this is “Matt Bishop”?• CA’s authentication policy says what type and strength ofauthentication is needed to identify Matt Bishop to satisfy theCA that this is, in fact, Matt Bishop– Will Certs-from-Us issue this “Matt Bishop” acertificate once he is suitably authenticated?• CA’s issuance policy says to which principals the CA willissue certificatesJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-15Example: Verisign CAs• Class 1 CA issued certificates to individuals– Authenticated principal by email address• Idea: certificate used for sending, receiving emailwith various security services at that address• Class 2 CA issued certificates to individuals– Authenticated by verifying user-supplied realname and address through an online database• Idea: certificate used for online purchasingJuly 1, 2004 Computer Security: Art and Science©2002-2004 Matt BishopSlide #15-16Example: Verisign CAs• Class 3 CA issued certificates to individuals– Authenticated by background check frominvestigative service• Idea: higher level of assurance of identity thanClass 1 and Class 2 CAs• Fourth CA issued certificates to web servers– Same authentication policy as Class 3 CA• Idea: consumers using these sites had high degreeof assurance the web site was not