Extensible Authentication Protocol

CS-630: Cyyyber and Network Security

Lecture # 6: Digital Signatures and Authentication PPfDrof. Dr. SSfiufian HHdameed Department of Computer Science FAST-NUCES

FAST-NUCES Authentication

FAST-NUCES Overview y Authentication y Passwords y Secure ID y Google 2 -step Authentication y Access Control

FAST-NUCES Authentication

y Authentication = binding of an identity to a subject y Confirmation of identity by ... y Knowledge factors = what the entity knows y Ownership factors = what the entity has y Human factors = what the entity is y Location factors = where the entity is

FAST-NUCES Example y LLoginogin to a cocomputermputer y Authentication by knowledge (password) y Online debit cards y AthtitiAuthentication by b ownership ( card) and knowledge (PIN) y Offline debit cards y Authentication by ownership (card) and human factor (signature)

FAST-NUCES Multi-Factor Authentication y Authentication using multiple factors y Example: Scene from the movie “Mission Impossible”

Ethan Hunt needs to 1. use a stol en chi p card ( ownershi p f act or) 2. forge a fingerprint (human factor) 3. enter the terminal room (location factor) 4. enter a password (knowledge factor)

FAST-NUCES Passwords y Password = information confirming the identity of an entity y Knowledge of a secret word , phrase or number

y Often combination with (a)symmetric cryptography y e.g. password is mapped to key of symmetric cipher y e.g. passwordttitkfblid protects private key of public-klithkey algorithm y Passwords are just great. Wait, it’s not that easy

FAST-NUCES Problems with Passwords y Password snooping y Eavesdropping of passwords in network traffic y Retrieval of passwords from hosts (e.g. via malware) y Password guessing (online) or cracking (offline) y Dictionary attacks = guessing using dictionary of words y Brute-force attacks = guessing using all possible strings y Human deficiencies y Weak and often re-used passwords

FAST-NUCES Passwords Storage y Passwords should never be stored in clear y Application of cryptographic one -way functions y Only encoded (hashed) passwords are stored y Sony data breach revealed clear text password. y Why twitter auto-reset the passwords recently ? y Example: $ stored_ pw = hash($password); y Simple to validate: hash($input) == $stored_pw? y Hard to deduce password from strong hash functions y Efficient cracking of stored passwords still possible y Brute-force or dictionary attack using hashed strings

FAST-NUCES Salted Passwords y Encoding of password with random string (salt) y Example: $ storedstored_pw pw = hash($password+$salt); y Salt value stored along with hashed password y Cracking of stored passwords more expensive y Same pppassword maps to different hash values y Without salt: cracking depends on # words y With salt: cracking depends on (# words × # salts) y Security depends on quality of password, hash and salt

FAST-NUCES Example: Unix Password y User credentials stored in two separate databases y /etc/passwd Basic user information (publicly readable)

y /etc/shadow Salt and hashed passwords (protected)

FAST-NUCES Good Password? y Testing for insecure passwords is very easy y A normal core i3 laptop can test 21 million MD5 hashs per hour y Passwords should be very hard to guess y No dictionary words, names, dates and patterns y Simpp(gg)le transformations (e.g. reversing) not sufficient y Minimum length and diversity of passwords y Study by Klein from 1989 y 21% of 13,797 passwords cracked within one week

FAST-NUCES Selection of Passwords y What about these? Hmh40hcr. and DB:L,I4yF! y Trick: first letters of memorable phrase y “He made him an offer he can't refuse .” = Hmh40hcr. y “Darth Vader: Luke, I am your father!” = DB:L,I4yF! y Trick: interweave words of memorable phrase y “My kin gdom f or a h or se!” = KiHoo;NgSer;NgSe y Avoidance of too common phrases y 2bon2b found in 4 out of 30 million passwords

FAST-NUCES One-time Passwords y Security of passwords “weakens” over time y Password aging = enforced changing of passwords y One-time passwords = passwords used exactly once y Example: S/Key Algorithm y User chooses initial key K1 y Recursive hashing: H(K1) = K2, H(K2) = K3,... H(Kn-1) = Kn y One-time passwords: P1 = Kn, P2 = Kn-1, ... Pn = K1 y Hard to deduce next password Pi from previous Pi-1

FAST-NUCES Example: RSA SecureID y Security system using two-factor authentication y Factors: knowledge (password) and ownership (device) y Device generates authentication code every 60 seconds y Auth en ti catio n us ing password and cu rrent code y Code Generation y Device initialized for each user with seed (random number) y Code computed from seed and current time (~one-time password)

FAST-NUCES Examppgle: Google 2-Step Verification y Security system by Google similar to SecurID y Factors: knowledge (password) and ownership (phone) y Authentication code computed on mobile phone y Login at Google requires password and current code

https://blog.duosecurity .com/2013/02/bypassing -googles-two-factor-authentication/

FAST-NUCES Challenge-Reponse y Generic protocol scheme for authentication y System and user share a secret function F

y Advantages over naive authentication methods y Secret, e.g. password, is never transmitted in cleartext y Replay attacks against authentication not possible

FAST-NUCES Challenge-Respp(onse (con’t) y Secret function often parameterized by password y F = H(M + P) hash function H and password P

y F = EP(M) encryption function E and password P y Hard to deduce P if F is cryptog r aphi cally st ro ng y Several methods related to challenge-response scheme y One-time passwords y = challenge (index of password); response (password) y SecurID / Google 2-step y = challenge (current time); response (authentication code)

FAST-NUCES Example: WPA2 (A Short Excursion)

FAST-NUCES Wireless Networks

y IhInheren t secur ity pro blems w ithiith wire less net work s y Communication over shared medium (air) y No physical access control and protection y Need for additional security measures (WEP, WPA, ...)

FAST-NUCES A Closer Look at Attacks y Common attacks types Countermeasures y Masquerading and spoofing չ Au thentication y Eavesdropping of communication չ Encryption y Tampering of messages չ Integrity checks

FAST-NUCES 802.11 and Security

TKIP = Temporal Key Integrity Protocol AES-CCMP = Counter Cippggher Mode with Block Chaining Message Authentication Code Protocol

FAST-NUCES WPA2 Authentication y Two different modes for authentication in WPA2 1. Personal:Pre: Pre-shared keys (PSK) (aka “passwords”) 2. Enterprise: 802.1x with Extensible Authentication Protocol

FAST-NUCES WPA2 Encryption y Partitioning of each message in blocks

y Encryption of each message block in counter mode y Advanced Encryption Standard (AES) using key KE

FAST-NUCES WPA2 Integgyrity Check y Chaining of cipher blocks to a keyed hash value

y Message Integrity Code (MIC) using key KI

y MIC appended to message prior to encryption

FAST-NUCES How secure is WPA2? y Attacks against WPA2 y (Almost) no attacks against cryptographic protocol y Best attack strategy so far: brute-force attacks y Target fo r pote n ti al attacks: Co mp le xity o f p rotoco l y WPA2 security in practice y Strength of passphrase in personal mode y Strenggppth of authentication protocol in enterprise mode

FAST-NUCES Access Control

y Authorization and access control y Control of what a subject is allowed to do y Management of permissions and capabilities y Often tight coupling with authentication y Examples y Execution of programs, reading of files, ...

FAST-NUCES Access Control Matrix

y Classic and simple representation for access control y Mapping from subjects and objects to permissions

FAST-NUCES Access Control Models y Access control non-trivial in practice y Complex systems ֧ complex access control models y Some characteristics of access control models y Definition of objects and subjects E.g. subjects can be users, processes or hosts y Representation of permissions E.gg(. columns (access control lists) )(p), rows (capabilities) y Management of permissions E.g. discretionary, mandatory or role-based access control

FAST-NUCES Representation: Access Control Lists

y Access control lists (ACL) y Attachment of permissions to objects (columns) y ْ Efficient and decentral organization of permissions y ٓ Listinggjp of subject permissions very involved y Example: OpenBSD packet filter y Deny access to the SSH service from any host y → block in qqpuick proto tcp ffyyprom any to any port ssh

FAST-NUCES Repppresentation: Capabilities

y Capabilities y Attachment of permissions to subjects (rows) y ْ Listing and control of subject permissions simple y ٓ Fine-ggprained permissions dif!cult to implement y Examppple: Linux capabilities y Restrict permissions to reboot system and load modules y → lcap -z CAP_SYS_BOOT CAP_SYS_MODULE

FAST-NUCES Management of Permissions y Discretionary Access Control (DAC) y Owner of an object controls access y Convenient but insecure if object changes owner y Mandatory Access Control (MAC) y System globally enforces access control y Very secure but tedious to design and operate y Role-based Access Control (RBAC) y Syygstem enforces access control using roles y In-between DAC and MAC models

FAST-NUCES Example: UNIX Permissions y Discretionary access control of files y Owner manages permissions of his files y Fixed-size access control lists: rwx rwx rwx y Three subjects: user , group and other y Three permissions: read, write and execute

y (a) Everybody can read the passwd file; root can write to it y (b) On lly root an d t he group s ha dow can rea d t he s ha dow file

FAST-NUCES Exampp(le: UNIX Permissions (con’t) y Simple notation for management of permissions y +| -|= y Subjects: u (user), g (group), o (others), a (all) y Peessos:rmissions: r (r ead), w (wr ite), x (execute) y Examples y Make file readable to everyone: chmod a+r file y Remove write ppgpermission from group: chmod g-w file y Make file readable by user only: chmod u=r file y Alternative for UNIX gurus: octal encoding

FAST-NUCES Special Permissions y Some permissions with special semantics y +x makes directories searchable y +t sticky bit (for directories deletion is restricted) y +s sui d bbt(cageusedtoit (change user id to file eowedu owner during geecuto) execution) y A UNIX backdoor from the 1990s

y If it’s bad, why do we need the suid bit?

FAST-NUCES Kerberos

y Authentication service developed as a part of MIT ’s Athena project y Provides centralized private-key third-ppyarty authentication in a distributed network y allows users access to services distributed through network y without needing to trust all workstations y rather all trust a central authentication server y Current version in use: 5

FAST-NUCES Kerberos Overview

y A basic third-party authentication scheme y Have an Authentication Server (AS) y users initially negotiate with AS to identify himself y AS provides a non-corruptible authentication credential (ticket granting ticket TGT) y Have a Ticket Granting server (TGS) y users subsequently request access to other services from TGS on basis of users TGT

FAST-NUCES Kerberos Dialogue

1. Obtain ticket granting ticket (TGT) from AS • once per session 2. Obtain service granting ticket from TGT • for each distinct service required 3. client/ server exch ange t o obt ai n servi ce • on every service request

FAST-NUCES Keebeosrberos Bas ascOvevewic Overview

FAST-NUCES *technet.microsoft.com Keebeosrberos Elabo aboatedrated

FAST-NUCES Kerberos Protocol Description

1. User Client-based Logon y A user enters a username and password on the client machines. y The cli ent perf orms a one-way function (hash usually) on the entered password, and this becomes the secret key of the client/user.

FAST-NUCES AS and TGS are the same Kerberos Protocol Description

2. Client Authentication y Client sends user ID (lets assume A) to the AS in cleartext. y AS generates the secret key by hashing the password of the user found at the database (KA). y AS sends back the following two encrypted messages to the client:

y A: Clien t/TGS Sess ion Key (SA). y B: Ticket-Granting-Ticket (which includes the client ID, client network address, ticket validity period, and the client /TGS sessi on k ey)td) encrypted using the secret key of the TGS i.e B ÆTGTA = KTGS(clientID, ……, SA). y KA(A, B) Æ KA(SA, TGTA) y At this point, the client has enough information to authenticate itself to the TGS.

FAST-NUCES Kerberos Protocol Description

3. Client Service Authorization y For Service request the following messages are sent to TGS:

y C: Composed of the TGTA and service ID. y D: Authenticator (client ID and the tidihimestamp encrypted with SA) i.e SA(timestamp, ClientID) y TGS decrypts D (Authenticator) and sends the following two messages to the client after encryption: y E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key ) encrypted using the service server's secret key i.e. CTSA = KSS (clientID, ……, SSA). y F: Client/Server Session Key i.e SSA. y SA(E, F) Æ SA(CTSA, SSA)

FAST-NUCES Kerberos Protocol Description

4. Client Service Request y Upon receiving messages E and F from TGS , the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages:

y E: CTSA = KSS (clientID,,, ……, SSA).. y G: A new Authenticator (client ID and the timestamp encrypted with SSA) i.e SSA(timestamp, ClientID) y SS decrypts the Authenticator and sends the following message:

y H: SSA (timestamp +1). y The client decrypts the confirmation using the Client/Server Session Key and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server. y The server provides the requested services to the client.

FAST-NUCES Repp()licated KDCs (AS + TGS)

Problem: The KDC is a bottleneck y If the KDC is down , it will not be possible to access remote resources (single- point-of-failure) y If the KDC is overloaded, the whole network performance will be affected

Solution: Replicated KDCs y Multiple, interchangeable KDCs y All share the same master KDC key y Have identical databases y Use of one master copy to keep all KDCs identical y All updates are done only on this master copy y All other KDCs are read-only slaves which update from the master copy (periodically or initiated by a human) y If the master copy fails, no new entries can be created, but authentication of principals still is possible with read-only KDCs

FAST-NUCES Realms

Remaining problem with replicated KDCs: consider several compp,anies, banks ,g, governments , ... in a big network: y Whoever manages the KDC can access all user master keys y It is hard to find an organization to manage the KDC that anybody would trust y Replicated KDCs are physically located at the different stakeholders’ sites, and all of them need to be secure and trusted by all stakeholders

Solution: split network into realms y Each realm has its own trusted master KDC database y typically a single administrative domain y KDCs in the same realm are equivalent y KDCs of diff erent real ms are diff erent: y Different KDC master key y Different principals (and also keys)

FAST-NUCES Kerberos Realms

FAST-NUCES Acknowledgements

Material in this lecture are taken from the slides prepared by: y Prof. Dr. Konrad Rieck (Uni-Göttingen) y PfDProf. Dr. SilSpaniol (RWTH-Ah)Aachen) y Network Security Essentials by William Stallings And y http://en.wikipedia.org/wiki/Kerberos_(protocol)

FAST-NUCES