Network Security VI. Authentication PDF

Network Security VI. Authentication Prof. Dr. Torsten Braun, Institut für Informatik Bern, 21.10.2024 – 28.10.2024 Network Security: Authentication Authentication Table of Contents 1. Authentication Systems 2. Authentication of People 3. Authentication Protocols 4. Kerberos 5. Federated Identity Management 3 Network Security: Authentication 1. Authentication Systems − Authentication is the process of reliably verifying the identity of someone (or something). − Computers authenticate each other, e.g., printer and printer spooler. − A user must be authenticated when trying to use a computer system. − Authentication types 1. Password-based 2. Address-based 3. Cryptographic − In many cases authentication leads to the establishment of a secret key between the communicating entities. 4 Network Security: Authentication 1. Authentication Systems 1. Password-based Authentication − No cryptographic operation because: − Difficult to achieve by humans when password connecting from dumb terminals A B − Crypto could be overly expensive in processing resources. − Export or legal issues − Problems: Eavesdropping, cloning, etc. → Passwords should not be used in networked applications without additional protection. 5 Network Security: Authentication 1. Authentication Systems 1.1 Password-based Authentication: Password Guessing: On-line Attack Operation Protection − try passwords until accepted − limit number of trials and lock account: e.g., ATM machine; Denial-of-Service problem: lock all accounts − increase minimum time between trials − prevent automated trials: from a keyboard, Turing tests − long passwords: pass phrases, initials of sentences, reject easy passwords 6 Network Security: Authentication 1. Authentication Systems 1.2 Password-based Authentication: Password Guessing: Offline Attack Operation Protection − Attacker captures X = − If offline attacks are possible, then f(password) the secret space should be large − Dictionary attack: try to guess and should mitigate against the password value offline GPU/ASICs parallel brute forcing. − Unix system uses a salt − Store “SS | hash(SS | password)”, where SS is a random value 7 Network Security: Authentication 1. Authentication Systems 1.3 Password-based Authentication: Storing Passwords Alternatives Authentication Information Database − Each user’s secret information is stored − Encryption in every server. − Authentication Storage Node − Hashing, e.g., in UNIX, − stores user’s secret information but allows offline attacks − Server has to retrieve user’s secret information for authentication. − need to trust/authenticate/secure ASN session − Authentication Facilitator Node − stores user’s secret information − Server retrieves information from user and forwards it to AFN. − AFN does authentication and returns yes/no. − need to trust/authenticate/secure AFN session 8 Network Security: Authentication 1. Authentication Systems 2. Address-based Authentication Access right is based on user@address. Problems Address-based authentication − If an attacker gets access to a − assumes that identity of the source can be node, it also can get access to inferred from network address of received resources the node has access to. packets. − Impersonation of network − trusts network address information. addresses, e.g., IP or MAC addresses, is easy. − is implemented in Unix, e.g., /etc/host.equiv, and.rhost files, − Misuse of IP source routing NFS mounting − is safe from eavesdropping. 9 Network Security: Authentication 1. Authentication Systems 3.1 Cryptographic Authentication: Authentication Tokens Authentication through what you have: − Primitive forms: credit cards, physical key − Smartcards-based: embedded CPU (tamper proof) − Personal Identification Number protected memory card: locks itself after a few wrong trials − Cryptographic challenge / response cards − Crypto key inside the card and not revealed even if given the PIN − Computer knowing the key in the card sends a challenge for encryption − If challenge is answered correctly, computer assumes availability of card and correct PIN − PIN authenticates the user (to the card), reader/server authenticates card − Cryptographic calculator: like previous card but has a display or speaker to output some result to be entered in a computer. − Mobile devices as a second-factor 10 Network Security: Authentication 1. Authentication Systems 3.2 Cryptographic Authentication: Multifactor Authentication 11 Network Security: Authentication 1. Authentication Systems 3.3 Cryptographic Authentication: Passwords as Cryptographic Keys − Cryptographic key: specially chosen large number, but difficult to remember − Passwords can be remembered by humans used to support cryptographic authentication and other security mechanisms. − How to derive keys from a password? − Challenges − Users choose weak and short passwords. − If information on key becomes available to adversary → possible offline-attack − Key derivation from password should balance resources, e.g., it is computationally expensive to convert passwords into RSA key. 12 Network Security: Authentication 1. Authentication Systems 3.4 Cryptographic Authentication: Passwords as Cryptographic Keys − Symmetric encryption, e.g., AES: Method from Jeff Schiller hashing of passwords to 128/256 bits − Convert the password into a seed for a random − RSA: private key must be designed number generator more carefully and is based on − Random numbers must be tested whether being selecting 2 prime numbers. prime. (time consuming !) − Jeff Schiller: conversion of user − RSA key generator will find many password into public key pair non-primes before finding two primes. − Such schemes often perform poorly. − Example: − Off-line password guessing − Key generator finds primes after 857 and 533 attack possible attempts using the user’s seed. − Key generator can give to user to remember and use for faster RSA key generation. 13 Network Security: Authentication 1. Authentication Systems 3.5 Authentication with Public and Secret Keys A A B B Random R (knows R (knows A A’s A A’s public secret key) key Ks) R signed with X = f(Ks, R) A’s private key 14 Network Security: Authentication 1. Authentication Systems 4.1 NIST Model for Electronic User Authentication 15 Network Security: Authentication 1. Authentication Systems 4.2 NIST Model for Electronic User Authentication − Credential Service Provider is a − Verifier verifies the claimant’s trusted entity that issues or identity by verifying the claimant’s registers subscriber authenticators possession and control of one or − Subscriber is a party who has two authenticators using an received a credential or authentication protocol. authenticator from a CSP. − Relying Party relies upon the − Applicant is a subject undergoing subscriber’s authenticator(s) and the processes of enrollment and credentials or a verifier’s assertion identity proofing. of a claimant’s identity, typically to − Claimant is a subject whose process a transaction or grant identity is to be verified using one access to information or a system. or more authentication protocols. 16 Network Security: Authentication 1. Authentication Systems 5.1 Trusted Intermediaries: Key Distribution Center c − KDC knows keys for all nodes. a d − Two nodes a and b aiming to talk to each other ask KDC for secret session key. KDC e − KDC b − authenticates a, f − chooses random number Rab as session key, − encrypts Rab with both secret keys shared with a and b, − transmits encrypted Rab to a and b, respectively. 17 Network Security: Authentication 1. Authentication Systems 5.2 Trusted Intermediaries: Certificate Authorities − Public keys must be known, Advantages of CA but it must be sure that they are − CA does not need to be online. correct and not overwritten by an attacker. − Failure of CA does not harm network operation but installing new devices / − CA generates certificates, users. which are signed messages of − Certificates might be deleted, (name, public key). but alteration is difficult. − Certificates can be stored − Compromised CA in a central repository or can not decrypt messages, in a distributed way. but compromised KDC can. 18 Network Security: Authentication 1. Authentication Systems 5.3 Trusted Intermediaries: Certificate Revocation Problem Solution: Certificates have a lifetime until Certificate Revocation Lists when they are valid. List of certificates (serial numbers) In case of earlier expiration, that should not be honored any more they have to be revoked. 19 Network Security: Authentication 1. Authentication Systems 5.4 Multiple Trusted Intermediaries h Multiple KDCs g c i − to avoid that a single KDC can a be compromised d K12 KDC2 j − to improve scalability KDC1 l b e k f 20 Network Security: Authentication 1. Authentication Systems 5.5 Trusted Intermediaries: Multiple KDC Domains Request for KDC2 KDC1 KA(Knew) K12(Knew) A KDC2 B Request for B Knew(KAB) KB(KAB) 21 Network Security: Authentication 2. Authentication of People 1. Overview − Humans are not able to − User authentication: securely store high-quality Table 16.1 Computer verifies that a user cryptographic keys. Authentication Factors is what she/he claims to be. Factor Examples Properties − What you know (knowledge) Knowledge User ID Can be shared − What you have (possession) Password Many passwords easy to guess PIN Can be forgotten − What you are (inherence) Possession Smart Card Can be shared Electronic Badge Can be duplicated (cloned) Electronic Key Can be lost or stolen Inherence Fingerprint Not possible to share Face False positives and false negatives possible Iris Forging difficult Voice print 22 Network Security: Authentication 2. Authentication of People 2. Initial Password Distribution Physical contact: Choose a random strong initial − go to the system admin, password (pre-expired password) that can only be used for the first show proof of identity, and set password connection − Drawback: inconvenient, security threats when giving the user access to the system admin session to set the password 23 Network Security: Authentication 2. Authentication of People 3. Biometrics − Retina Scanner − Handprint readers − Fingerprint readers − Voiceprints − Face recognition − Keystroke timing − Iris scanner − Signatures 24 Network Security: Authentication 3. Authentication Protocols 1.1 Password-based Protocols for Logins 1) 2) A Simple password-based authentication: Challenge R A B − A sends password to B F(KAB, R) (clear ! or encrypted) − B verifies password − More secure than simple algorithm − No mutual authentication (A does not authenticate B), useful for logins − Hijacking of conversation possible, i.e., generating packets with A’s source address − Off-line password attack possible 25 Network Security: Authentication 3. Authentication Protocols 1.2 Password-based Protocols for Logins A A B KAB(R) A, KAB(timestamp) A B R − Authentication based on reasonably synchronized clocks − Possible dictionary attack by − Timestamps to be remembered sending requests or eavesdropping to avoid impersonation − B must verify for all possible timestamps A B A, timestamp, hash(KAB, timestamp) 26 Network Security: Authentication 3. Authentication Protocols 2. One-Way Public Key − Previous protocols allow impersonation, − Problem: one can trick someone to if user’s database can be read. sign / decrypt something. − This can be avoided by public keys. − Solution: never use R twice, e.g., by using a certain structure. − Signature RA : transform of R using A’s − {R}A: R encrypted using A’s public key private key A A R {R}A A B A B RA R 27 Network Security: Authentication 3. Authentication Protocols 3.1 Mutual Authentication A Mutual authentication based on shared key is rather inefficient. R1 A f(KAB, R1) B R2 f(KAB, R2) 28 Network Security: Authentication 3. Authentication Protocols 3.2 Mutual Authentication A, {R2}B Mutual authentication based on public keys, but public keys must be R2, {R1}A A B known and verified, which could be R1 a problem, if one party is a human. 29 Network Security: Authentication 3. Authentication Protocols 3.3 Mutual Authentication Mutual authentication with 2 messages using timestamps and synchronized clocks A, f(KAB, timestamp) A f(KAB, timestamp+1) B 30 Network Security: Authentication 3. Authentication Protocols 4. Mediated Authentication A 1. KDC operation in principle − A might receive message A KA{KAB} KDC KB{KAB} B from KDC much earlier than B or vice versa. 2. KDC operation in practice A − Ticket: KB{A, KAB} KA{KAB}, KDC A Ticket B A, Ticket 31 Network Security: Authentication 3. Authentication Protocols 5. Needham-Schroeder − Nonces Ni N1, A, B − Ticket: KB{KAB, A} KA{N1, B, KAB, KDC − Reflection attack possible in Ticket} message 4, if symmetric encryption Ticket, KAB{N2} in ECB mode is used and A B nonces are separately encrypted. KAB{N2-1, N3} KAB{N3-1} 32 Network Security: Authentication 3. Authentication Protocols 5.1 Reflection Attack − Attacker initiates a connection to a target. − Target attempts to authenticate the attacker by sending a challenge. − Attacker opens another connection to the target and sends to the target this challenge as its own. − Target responds to the challenge. − Attacker sends that response back to target on original connection. 33 Network Security: Authentication 3. Authentication Protocols 5.2 Example: Reflection Attack − N2-1, N3 are separately encrypted. N1, A, B − C wants to impersonate A to B. KA{N1, B, KAB, KDC − C replays message 3 to B. Ticket} − B responds with KAB{N2-1, N4}. Ticket, KAB{N2} − C opens a new connection to B using A B KAB{N4} instead of KAB{N2}, KAB{N2-1, N3} cf. message 3 − B returns KAB{N4-1, N5}. KAB{N3-1} − C uses KAB{N4-1} as message 5 of its connection. 34 Network Security: Authentication 3. Authentication Protocols 5.3 Expanded Needham-Schroeder A, B − Problem of Needham-Schroeder: Attacker gets A’s key: KB{NB} Ticket for B remains valid, A, KB{NB} even if A changes its key. KDC KA{N1, B, KAB, − Solution: A B Ticket} Expanded Needham-Schroeder Ticket, KAB{N2} − Ticket: KB{KAB, A, NB} KAB{N2-1, N3} − Ticket will reassure that an KAB{N3-1}} entity has contacted KDC before contacting B 35 Network Security: Authentication 3. Authentication Protocols 6.1 Strong Password Protocols: Lamport’s Hash − B can authenticate A securely. A, pwd A − Human A remembers a password. − Server B has a database with user entries − user name − large n, e.g., 1000, which is decremented A’s n when a user authenticates − knows (hashn(password)) A com- B − After receiving message: server puter − compares hash(x) with hashn(password) and if equal, it replaces by x=hashn-1(pwd) − Problems − Limited number of logins (n) − No mutual authentication 36 Network Security: Authentication 3. Authentication Protocols 6.2 Strong Password Protocols: Encrypted Key Exchange share weak secret W − A and B share a weak password W, which is a hash of A’s password; A, W(ga mod p) B stores it, A computes it. A, W(gb mod p, C1) − Diffie-Hellman exchange by A B encrypting DH numbers with W K= gab mod p − Attacker doing trial decryption fails, K(C1, C2) since decryption looks like a random number. K(C2) − Strong secret K, because attacker must guess password and break DH 37 Network Security: Authentication 4. Kerberos 1. Overview − Authentication service developed as Kerberos part of Project Athena at MIT − provides a centralized authentication server − A workstation cannot be trusted to whose function is to authenticate users to identify its users correctly to network servers mutually. services, because − a user may gain access to a particular − relies exclusively on symmetric encryption, workstation and pretend to be another making no use of public-key encryption. user operating from that workstation. − a user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. − a user may eavesdrop exchanges and use a replay attack to gain entrance to a server or to disrupt operations. 38 Network Security: Authentication 4. Kerberos 2.1 Replay Attacks − An attacker simply copies a message and replays it later. − An attacker can replay a timestamped message within the valid time window. − An attacker can replay a timestamped message within the valid time window, but in addition, the attacker suppresses the original message. 39 Network Security: Authentication 4. Kerberos 2.2 Approaches against Replay Attacks − Attach a sequence number to − Timestamps each message used in an − require clock synchronization authentication exchange − Party A accepts a message as fresh − A new message is accepted only only if the message contains a if its sequence number is in the timestamp that, in A’s judgment, proper order. is close enough to A’s knowledge of − Difficulty with this approach is that current time. it requires each party to keep − Challenge/Response track of the last sequence − Party A, expecting a fresh message number for each claimant from B, first sends to B a nonce − Generally, not used for (challenge) and requires that authentication and key subsequent message (response) exchange because of from B contains correct nonce value. overhead 40 Network Security: Authentication 4. Kerberos 3. Kerberos V4 − uses DES for authentication service − Ticket-Granting Server − Authentication Server − issues tickets to users who have − knows passwords of all users and been authenticated to AS stores them in a centralized database − Each time the user requires access − shares unique secret key with each to a new service the client applies to server TGS using the ticket to authenticate itself. − Ticket − TGS then grants a ticket for service. − is created once the AS accepts the user as authentic; contains user’s ID, − Client saves each service-granting network address, server’s ID ticket and uses it to authenticate its − is encrypted using the secret key user to a server each time a shared by AS and server particular service is requested 41 Network Security: Authentication 4. Kerberos Client Authentication Ticket-granting Service 4. Message Exchange server (AS) server (TGS) provider Client authentication IDc || IDtgs || TS1 Shared key and ticket E(Kc, [Kc,tgs || IDtgs || TS2 || Lifetime2 || Tickettgs]) Tickettgs, server ID, and client authentication IDv || Tickettgs || Authenticator c Shared key and ticket E(Kc,tgs, [Kc,v || IDv || TS4 || Ticketv]) Ticketv and client authentication Ticketv || Authenticator c Service granted E(Kc,v, [TS5 + 1]) 42 Network Security: Authentication 4. Kerberos 5. Realms and Multiple Kerberi A full-service Kerberos environment, consisting of a Kerberos server, several clients, and several application servers requires that − Kerberos server − must have user ID and hashed passwords of all participating users in its database. − must share a secret key with each other server. − in each interoperating realm shares secret keys with Kerberos servers in other realms. − Realm = a set of managed nodes that share the same Kerberos database − Mutual registrations 43 Network Security: Authentication Realm A Kerberos 4. Kerberos Client r local T GS re qu est ticket fo 1. 6. Request for Service 2. ticket for local 3. request ticket for rem TGS ote TGS Authentication server (AS) in another Realm 4. ticket for remote TGS Ticket- granting server (TGS) 7. request remote service 5r equ est tic ket 6 fo r tic ket rem Kerberos for ote rem ser ote ver ser v er Authentication server (AS) Host/ Ticket- granting application server (TGS) server Realm B 44 Network Security: Authentication 4. Kerberos 7.1 Kerberos V4/5: Environmental Shortcomings 1. Encryption system dependence: V4 requires 5. Authentication forwarding: V4 does not allow DES (export restrictions). V5 makes use of AES. credentials issued to one client to be forwarded 2. IP dependence: V4 requires IP addresses. to some other host and used by some other V5 network addresses are tagged with type and client. For example, a client issues a request to a length, allowing any network address types print server, which then accesses the client’s file from a file server, using the client’s credentials for 3. Message byte ordering: In V4, the sender of a access. V5 provides this capability. message employs a byte ordering of its own choosing. In V5, message structures are defined 6. Inter-realm authentication: using Abstract Syntax Notation One (ASN.1) and In V4, interoperability among N realms requires Basic Encoding Rules. on the order of N 2 Kerberos-to-Kerberos 4. Ticket lifetime: Lifetime values in V4 are relationships. encoded in 8-bits with units of 5 minutes, i.e., V5 supports a method that requires fewer a maximum lifetime of 28 * 5 = 1280 minutes. relationships. In V5, tickets include explicit start time and end time, allowing arbitrary lifetimes. 45 Network Security: Authentication 4. Kerberos 7.2 Kerberos V4/5: Technical Deficiencies 1. Double encryption: Tickets 3. Session keys: Each ticket includes a provided to clients are encrypted session key. Because the same ticket may be used repeatedly to gain service twice, which is not necessary. from a particular server, there is the risk that an opponent will replay messages 2. Encryption in V4 makes use of from an old session to the client or the Propagating Cipher Block server. In V5, it is possible for a client Chaining, which is vulnerable to an and server to negotiate a subsession key, which is to be used only for that attack involving the interchange of one connection. ciphertext blocks. V5 provides explicit integrity 4. Password attacks: Both versions are vulnerable to password attacks. mechanisms, allowing standard V5 does provide a mechanism known CBC mode for encryption as pre-authentication, which should make password attacks more difficult. 46 Network Security: Authentication 5. Federated Identity Management 1. Overview dealing with the use of a common identity Services provided include: management scheme across multiple − Point of contact enterprises and numerous applications − Single-Sign-On protocol services and supporting many users − Trust services − Key services − Identity services − Authorization − Provisioning − Management 47 Network Security: Authentication 5. Federated Identity Management 2. Generic Identity Management System Identity Provider Data consumer Principal identity holder e.g., server Attribute Service Admin- istrator 48 Network Security: Authentication 5. Federated Identity Management 3. Operation User 1. User’s browser or application contacts Identity Provider. End user provides attributes. 1 2. Administrator may also provide Identity Provider attributes. 4 (source domain) 3. Service Provider obtains identity 2 information, authentication information, attributes from IdP. 4. SP opens session to user and Administrator enforces access control based 3 on user’s identity and attributes. Service Provider 49 Thanks for your Attention Prof. Dr. Torsten Braun, Institut für Informatik Bern, 21.10.2024 – 28.10.2024

Network Security VI. Authentication PDF

Document Details

Tags

Related

Summary

Full Transcript