cse443-lecture-9-authentication

cse443-lecture-9-authentication - Lecture 9 -...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Lecture 9 - Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Implementing Authentication Protocols Authentication verifying identity (prove possession of a secret) mutual authentication key distribution (secret for secure communication) Leverage constructions to achieve authenticity, confidentiality, and integrity Signatures HMAC Protocols Needham-Schoeder CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 2 Kerberos History: from UNIX to Networks (late 80s) Solves: password eavesdropping Online authentication Variant of Needham-Schroeder protocol Easy application integration API First single sign-on system (SSO) Genesis: rsh, rcp authentication via assertion Most widely used (non-web) centralized password system in existence (and lately only ..) Now: part of Windows 2K, XP network authentication Windows authentication was a joke. CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 3 An aside ... Authentication Assessing identity of users By using credentials ... Authorization Determining if users have the right to perform requested action (e.g., write a file, query a database, etc.) Kerberos authenticates users, but does not perform any authorization functions ... ... beyond identify user as part of Realm Typically done by application. Q: Do you use any "Kerberized" programs? How do you know? CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 4 The setup ... The players Principal - person being authenticated Service (verifier) - entity requiring authentication (e.g, AFS) Key Distribution Center (KDC) Trusted third party for key distribution Each principal and service has a Kerberos password known to KDC, which is munged to make a password key, e.g., kA Ticket granting server Server granting transient authentication The objectives Authenticate Alice (Principal) to Bob (Service) Negotiate a symmetric (secret) session key kAB CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 5 The protocol A two-phase process User authentication/obtain session key (and ticket granting ticket) key from Key Distribution Center Authenticate Service/obtain session key for communication with service Setup Every user and service get certified and assigns password CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 6 The simplified Kerberos protocol 1 ) Tic ket? Key Distribution Center 2) Tic ket-Granting -Tc ket 3) Bob? A lic e 4 ) Tic ket (Bob) Tic ket Granting Server 5) Tic ket (Bob) Bob CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 7 A Kerberos Ticket A Kerberos ticket is a token that ... Alice is the only one that can open it Contains a session key for Alice/Bob (KAB) Contains inside it a token that can only be opened by Bob Bobs Ticket contains Alices identity The session key (KAB) Ticket (KAB) Ticket (KAB) "Locked" by KB "Locked" by KA Q: What if issuing service is not trusted? CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 8 Kerberos Ticket Granting Tickets Alice requests a Kerberos session Enters her password Her workstation forwards a request for a TGT In clear (w/o password) KDC generates a TGT {KAT + TGT + details to prevent replay}KA The TGT contains session state: Alice, session key, expiration time All are encrypted with TGS key (KDC master key) Q: Why is TGT encrypted with Alices key? CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 9 Service Session Alice wants to establish a session with a service Bob She uses the TGT for each session Alice to TGS The identity of the service: Bob The TGT And an authenticator to prove that her workstation knows the current session key Authenticators Encrypted timestamp of the current time: {time}KAT Receives a service session key and a ticket for Bob CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 10 Cross-Realm Kerberos Extend philosophy to more servers Obtain ticket from TGS for foreign Realm Supply to TGS of foreign Realm Rinse and repeat as necessary Michigan Purdue Penn St. Ohio St. Pitt "There is no problem so hard in computer science that it cannot be solved by another layer of indirection." David Wheeler, Cambridge University (circa 1950) CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 11 Kerberos Reality V4 was supposed to be replaced by V5 But wasnt because interface was ugly, complicated, and encoding was infuriating Assumes trusted path between user and Kerberos Widely used in UNIX domains Robust and stable implementation Problem: trust aint transitive, so not so good for large collections of autonomous enterprises CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 12 Kerberos Security Key storage issues KDC is the focal point of security However, user passwords and session keys may be stolen on compromised clients Password cracking was done on Windows Kerberos messages Timestamps are an issue (not nonces like NH) Dont have to track what nonces have been used Authenticators use timestamps as challenge-responses However, timestamps are accepted with range of minutes Some crypto attacks have been proposed Despite these, Kerberos broadly used Not the lowest hanging fruit CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 13 Needham-Schroeder Public Key Did anyone build a public key version of Kerberos? No Ill-fated existence "Proven correct" in 1990 Flaw found in 1995 Led to work on protocol analysis tools X.1 Y.1 Y.2 X.2 X.3 Y.3 AI I(A) B B I(A) IA AI I(A) B A + I + {Na , A}K + I A + B + {Na , A}K + B B + A + {Nb , Na }K + A I + A + {Nb , Na }K + A A + I + {Nb }K + I A + B + {Nb }K + B Page 14 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Secure SHell Secure login, file transfer, X11, TCP/IP over Internet Replaces old insecure protocols for such things that used passwords in cleartext Uses strong cryptography for communication RSA is used for key exchange and authentication Symmetric algorithms for data security CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 15 Basic SSH Protocol (1) Client opens connection to server (2) Server sends public host key Enables approval of new hosts Rejects changed host keys Notifies on expired host keys (3) Client generates random number as session key Encrypts for the server using the host key (4) Server decrypts the session key Confirms receipt (authenticating itself to the client) (5) Client can then authenticate using traditional means E.g., Password CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 16 SSH Security Client encrypts session key in servers host key Q: Does this guarantee integrity? Q: Can you prove that this is not susceptible to man-inmiddle attacks? In SSH v2, communication is protected via HMACSHA1 You should be able to write these messages CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 17 SSH Services Value of SSH comes from the services that it runs... Remote services scp, sftp, ... Support for connections X11 forwarding, TCP forwarding, ... Over a secure channel... Using strong crypto And its straightforward to setup the server and easy for clients Has to deal with a modest number of error cases CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 18 SSH Vulnerabilities The communication is secure, so what to attack... Several problems: circa 2001-2002 Buffer Overflows (sshd runs as root) Several of these Integer overflows Confuse the program (ssh-agent on client runs as root) Also, attack the client side (run as client) DoS attacks OpenSSH system has been rearchitectured Q: Well talk about how to fix these problems later... CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 19 Take Away Systems for authentication have been constructed Powerful, broadly used Cryptography is generally above reproach System challenges Kerberos timestamps Key storage System security Communication is probably not not the weakest link CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 20 ...
View Full Document

Ask a homework question - tutors are online