SECURITY/3000: A NEW APPROACH TO LOGON SECURITY
by Eugene Volokh, VESOFT
Presented at 1982 HPIUG Conference, Copenhagen, DANMARK
Published in "Thoughts & Discourses on HP3000 Software", 1st ed.
ABSTRACT
With the advent of computers, a new age of information processing
downed. And, together with it, a new threat to information security
was born -- the threat of computer crime. This paper will tell you
why you should buy SECURITY/3000, VESOFT's answer to at least one part
of the security problem -- logon security.
THE PROBLEM
Security is the art of restricting access to certain entities. One of
the fundamental aspects of all security systems is accessor identification,
i.e. determining who the person who wants to access a given entity really
is. In computer security, this form of security is called logon security.
Once this level of security is passed, the accessor is no longer Joe
Smith, but rather JOE.PAYROLL (with the underlying assumption that
JOE.PAYROLL really is Joe Smith). If John Doe can sign on as
JOE.PAYROLL, the computer will still think that he is Joe Smith, and
will let him do anything that Joe can do, regardless of any further
levels of security that exist on the system. Thus, if your logon
security system is inadequate, no additional layers of security can
help -- your system is wide open to any would-be computer criminals.
Thus, a good logon security system must ensure user ID integrity, and,
if a violation is detected, it must take proper measures to inform
appropriate people (e.g. the system manager and the console operator)
of the violation. Furthermore, it must protect against internal
tampering with the security system by maintaining a clear audit trail
of all security modifications. And, it may also be of benefit for it to
prevent user access at times and from places in which it is easiest to
penetrate system security (e.g. on weekends, after hours, over telephone
lines, etc.)
Unfortunately (for you, but fortunately for us vendors), HP's logon
security system does not meet the above requirements. No time of day,
day of week, or terminal number security is provided; no audit trail
of password removals, additions, or modifications is kept; only the
console operator is informed of any violations (via a message that is
virtually indistinguishable from a number of other messages sent to
the system console); and, as we will demonstrate below, user ID
integrity is easily compromised.
In order to ensure user ID integrity, HP's logon security system uses
passwords. However, these passwords provide only an illusion of
security, because:
* There is only one password for each level (user, account, or group)
of security. Thus, knowing this one password guarantees that you can
penetrate that level of security.
* Many people treat passwords as a dispensable nuisance, an therefore
readily reveal their passwords to unauthorized person. To a person
who does not perceive the security value of a password, it is much
easier to tell someone the password rather than to question whether
someone should really know it. Similarly, people have no qualms
about writing passwords down if they have trouble remembering them
(in one case, the user actually wrote the password down and stuck
it to her terminal!).
* Passwords are stored in the system in clear text. Thus, they may
be readily found in job streams, discarded LISTDIR2 listings, on
SYSDUMP tapes, etc.
Thus, if you are relying on HP's logon security system, you and your
information can easily fall prey to computer crime.
THE SOLUTION
USER ID INTEGRITY
Instead of conventional passwords, SECURITY/3000 uses personal
profile passwords -- answers to personal questions such as
"WHAT IS YOUR MOTHER'S MAIDEN NAME?", "WHAT CITY WAS YOUR GRANDFATHER
BORN IN?", etc. (If you don't like our questions, you can configure
your own.) Instead of asking the same question all the time,
SECURITY/3000 asks a random one out of a number of questions
(up to 30, user-configurable). And, instead of keeping the answers
stored in clear text, it encrypts them using a special one-way
encryption system, through which the answers cannot be decrypted by
anybody.
Thus, passwords are automatically imbued with a psychological
security significance; knowledge of all passwords is required to be
sure of being able to access the system, even though the user is asked
only one at logon time; and, passwords are made impossible to determine.
Thus, SECURITY/3000 avoids the disadvantages of HP's logon security.
VIOLATION REPORTING
Unlike HP's logon security system, which reports security violations
only to the system console, SECURITY/3000 reports them to the system
console (in inverse video, to distinguish them from ordinary console
messages), prints a user-definable memo to the system line printer, and
logs them to its own log file for future reference (thus providing a
permanent record for future interrogation). This "three-alarm system"
makes sure that attempted security violations are acted upon, not ignored.
AUDIT TRAIL
Although an account manager should be able to add, change, or remove
user security within his own account, there must be some means
provided to keep track of his actions. Under HP's logon security system,
an account manager can create a fictitious user ID, logo on to the
system under it, and do something that he shouldn't be doing without
being afraid of getting caught. With SECURITY/3000, all user additions,
changes, and deletions are logged to the SECURITY log file, thus
allowing an auditor or system manager to determine who created, altered,
or removed a given user ID.
TIME OF DAY, DAY OF WEEK, AND TERMINAL NUMBER SECURITY
Most security violations will not occur on Tuesday at 2:30 in the
middle of your payroll department; they will most likely be done in
the dead night on a weekend across a telephone line. If your payroll
clerks work only on weekdays from 9 to 5 on terminals 31, 32, 33, and
35, any attempts to access the payroll account at any other time from
any other place is inherently a security violation. Does HP's logon
security system protect you against this? No. Does SECURITY/3000? Yes.
In short, SECURITY/3000 gives you what HP's logon security doesn't
give -- security.
CONCLUSION
If you are an average HP shop, you have tens of millions of dollars
flowing through your computer. If you want to keep those tens of
millions of dollars, what you need is SECURITY/3000.