SECURITY/3000: A NEW APPROACH TO LOGON SECURITY by Eugene Volokh, VESOFT Presented at 1982 HPIUG Conference, Copenhagen, DANMARK Published in "Thoughts & Discourses on HP3000 Software", 1st ed. ABSTRACT With the advent of computers, a new age of information processing downed. And, together with it, a new threat to information security was born -- the threat of computer crime. This paper will tell you why you should buy SECURITY/3000, VESOFT's answer to at least one part of the security problem -- logon security. THE PROBLEM Security is the art of restricting access to certain entities. One of the fundamental aspects of all security systems is accessor identification, i.e. determining who the person who wants to access a given entity really is. In computer security, this form of security is called logon security. Once this level of security is passed, the accessor is no longer Joe Smith, but rather JOE.PAYROLL (with the underlying assumption that JOE.PAYROLL really is Joe Smith). If John Doe can sign on as JOE.PAYROLL, the computer will still think that he is Joe Smith, and will let him do anything that Joe can do, regardless of any further levels of security that exist on the system. Thus, if your logon security system is inadequate, no additional layers of security can help -- your system is wide open to any would-be computer criminals. Thus, a good logon security system must ensure user ID integrity, and, if a violation is detected, it must take proper measures to inform appropriate people (e.g. the system manager and the console operator) of the violation. Furthermore, it must protect against internal tampering with the security system by maintaining a clear audit trail of all security modifications. And, it may also be of benefit for it to prevent user access at times and from places in which it is easiest to penetrate system security (e.g. on weekends, after hours, over telephone lines, etc.) Unfortunately (for you, but fortunately for us vendors), HP's logon security system does not meet the above requirements. No time of day, day of week, or terminal number security is provided; no audit trail of password removals, additions, or modifications is kept; only the console operator is informed of any violations (via a message that is virtually indistinguishable from a number of other messages sent to the system console); and, as we will demonstrate below, user ID integrity is easily compromised. In order to ensure user ID integrity, HP's logon security system uses passwords. However, these passwords provide only an illusion of security, because: * There is only one password for each level (user, account, or group) of security. Thus, knowing this one password guarantees that you can penetrate that level of security. * Many people treat passwords as a dispensable nuisance, an therefore readily reveal their passwords to unauthorized person. To a person who does not perceive the security value of a password, it is much easier to tell someone the password rather than to question whether someone should really know it. Similarly, people have no qualms about writing passwords down if they have trouble remembering them (in one case, the user actually wrote the password down and stuck it to her terminal!). * Passwords are stored in the system in clear text. Thus, they may be readily found in job streams, discarded LISTDIR2 listings, on SYSDUMP tapes, etc. Thus, if you are relying on HP's logon security system, you and your information can easily fall prey to computer crime. THE SOLUTION USER ID INTEGRITY Instead of conventional passwords, SECURITY/3000 uses personal profile passwords -- answers to personal questions such as "WHAT IS YOUR MOTHER'S MAIDEN NAME?", "WHAT CITY WAS YOUR GRANDFATHER BORN IN?", etc. (If you don't like our questions, you can configure your own.) Instead of asking the same question all the time, SECURITY/3000 asks a random one out of a number of questions (up to 30, user-configurable). And, instead of keeping the answers stored in clear text, it encrypts them using a special one-way encryption system, through which the answers cannot be decrypted by anybody. Thus, passwords are automatically imbued with a psychological security significance; knowledge of all passwords is required to be sure of being able to access the system, even though the user is asked only one at logon time; and, passwords are made impossible to determine. Thus, SECURITY/3000 avoids the disadvantages of HP's logon security. VIOLATION REPORTING Unlike HP's logon security system, which reports security violations only to the system console, SECURITY/3000 reports them to the system console (in inverse video, to distinguish them from ordinary console messages), prints a user-definable memo to the system line printer, and logs them to its own log file for future reference (thus providing a permanent record for future interrogation). This "three-alarm system" makes sure that attempted security violations are acted upon, not ignored. AUDIT TRAIL Although an account manager should be able to add, change, or remove user security within his own account, there must be some means provided to keep track of his actions. Under HP's logon security system, an account manager can create a fictitious user ID, logo on to the system under it, and do something that he shouldn't be doing without being afraid of getting caught. With SECURITY/3000, all user additions, changes, and deletions are logged to the SECURITY log file, thus allowing an auditor or system manager to determine who created, altered, or removed a given user ID. TIME OF DAY, DAY OF WEEK, AND TERMINAL NUMBER SECURITY Most security violations will not occur on Tuesday at 2:30 in the middle of your payroll department; they will most likely be done in the dead night on a weekend across a telephone line. If your payroll clerks work only on weekdays from 9 to 5 on terminals 31, 32, 33, and 35, any attempts to access the payroll account at any other time from any other place is inherently a security violation. Does HP's logon security system protect you against this? No. Does SECURITY/3000? Yes. In short, SECURITY/3000 gives you what HP's logon security doesn't give -- security. CONCLUSION If you are an average HP shop, you have tens of millions of dollars flowing through your computer. If you want to keep those tens of millions of dollars, what you need is SECURITY/3000.
Go to Adager's index of technical papers