Countering Abuse of Name Based Authentication 1

Countering Abuse of Name Based Authentication 1

Countering Abuse of Name{Based 1 Authentication Christoph L. Schuba and Eugene H. Spa ord COAST Lab oratory Department of Computer Sciences Purdue University West Lafayette, IN 47907-1398 fschuba,[email protected] Abstract Authentication for access control pro cedures is usually based on the iden- tity of participating entities. In some communications systems, identities are partially or wholly resolved using hostnames or machine addresses in the under- lying proto col suite. Access control lists and revo cation lists are often de ned on the basis of hostnames, whereby the communication subsystem at runtime utilizes machine addresses. After communications b etween two machines are established, hosts identify each other by their proto col addresses. To map this address to a high{level name, which can then b e compared with access control or revo cation lists to grantordeny access, a resolution pro cess is initiated. The abstraction from proto col addresses to high{level hostnames is necessary to hide details of het- erogeneous communication subsystems, and of dynamic network con gurations from the application layer where a uniform, high{level naming scheme is de- sired. If cryptographic capabilities are used that identify sub ject{ob ject interac- tions, authentication usually do es not dep end on host identi cation. Where host identi cation is part of the authentication, a crucial link in the chain of authentication is the asso ciation b etween hostnames and their resp ective ad- dresses. The validity of the authentication can b e trusted only as muchasthe binding pro cess itself. In the Internet this name resolution is provided by a widely{implemented distributed database system: the Domain Name System DNS. Dynamic con- guration b ehavior, system eciency, and volume of binding requests demand late binding b etween hostnames and addresses, and caching of the mappings. Therefore, bindings are established \just in time" on a need basis and are kept valid for a limited p erio d of time. 1 submitted to the twenty-second annual Telecommunications Policy Research Conference This pap er describ es problems of name{based authentication requiring late binding such as that provided by the DNS for hostname{to{address asso cia- tions. Because forward mappings where the address is a relation of the host- name and reverse mappings are maintained in unrelated parts of the database, three levels of mo di cation are p ossible: mo di ed forward mapping, mo di ed backward mapping, or b oth. The mo di cation of asso ciations enables the sp o of- ing of hostnames in sessions that dep end on the DNS. We state the problem in an abstract way and in the concrete case of the DNS. We analyze the conditions that facilitate the exploitation of the problem and explain the weaknesses that are present in the DNS. We then explore some p ossible solutions to the problem. All our prop osed solutions are evaluated byanumb er of criteria to compare e ects of the so- lutions. Each of the solutions will either consist of mechanisms that enable arbitrarily chosen p olicies, or it will require the implementation of a certain p olicy.We emphasize the solutions to improve existing name servers bymod- ifying them in a way that they rely on less trust, and to emb ed crytographic metho ds into the name resolution pro cess. 1 Intro duction The Internet is a widespread conglomeration of hundreds of thousands of intercon- nected heterogeneous networks and hosts. The design of the Internet is based on a proto col hierarchy. There exist multiple implementations of these proto cols. Computers communicate with each other on the basis of di erenttyp es of ad- dresses; on the physical layer using low{level physical addresses according to the hardware devices used, on the data link to presentation layer on a rst{level abstrac- 2 tion using host addresses such as IP addresses , and on the application layer on a second{level abstraction using high{level, pronounceable hostnames. The task of naming hosts and network domains is addressed by creating a hi- erarchical relation b etween domains, with hosts as the furthest descendants from an arti cial ro ot domain. By app ending the domain lab els one after the other to the host lab els on the path up to the ro ot in the hierarchical tree, a unique, memorizable, and usually pronounceable identi er is created: the hostname. One of the management tasks in the Internet is the mapping of lower{level addresses to these hostnames. The mapping, or binding, of IP addresses to hostnames b ecame a ma jor problem in the rapidly growing Internet. Note that this pap er do es not deal with the mapping 3 between addresses on the physical layer and transp ort layer, which is solved by ARP in the TCP/IP Internet Proto col Suite, but with the mapping b etween hostnames and IP addresses. 2 \32-bit addresses assigned to hosts that want to participate in a TCP/IP internet" [Com91] 3 \Address Resolution Proto col { used to dynamically bind a high{level IP address to a low{level physical hardware address" [Com91] 2 This higher{level binding e ort went through di erent stages of developmentup to the currently used Domain Name System DNS. The DNS is a distributed naming resolution system used by most network services available throughout the Internet. It works transparently for the user who sends email, accesses another host via telnet or rlogin, or transfers some les via ftp between hosts. The DNS provides name binding in b oth directions: given a hostname, it returns the appropriate IP addresses, and vice versa. Before hosts grant network services to users, an authentication pro cess takes place, where the users' access rights, and the identity of connecting hosts get scrutinized, according to provider p olicies. There are many notions on how access rights can b e sp eci ed. Examinations can b e based on identi cation by hostname, login name, and login password. In some cases it suces to provide the right names, and access is granted without sp ecifying any password at all. Some Berkeley r{commands see [Ste90, chapter 14] o er network services for which it is sucienttoverify user name and hostname to gain complete access. As the remote user name is sp eci ed by the connecting site, the authentication is additionally based up on the name of the connecting machine. A machine that o ers services can acquire information ab out the socket that is used by the connecting site. 4 Asocket is an abstraction for a network service access p oint NSAP: in UNIX a tuple consisting of IP address, p ort, and proto col used by the remote site. Toverify the hostname, it is the task of the DNS to map the IP address to the hostname. Because the DNS is distributed among many thousands of hosts, it can b e a critical mistake to blindly trust the resolved binding. This pap er investigates p olicies and mechanisms to solve the problem of trust in the Domain Name System. Some of these p olicies and mechanisms might b e abstractable to distributed naming services in general. Although this problem has b een known for some years now, not many publications deal with it. [Bel90] and [Sch93] are the principal accounts that we can mention as related work. [Bel90] demonstrates the subversion of system security using the DNS and discusses p ossible defenses against the attack and limitations on their applica- bility. The pap er follows suggestions from Paul V. Mo ckap etris, the designer of the DNS. In [Sch93] the details of the exploitation of the weakness are worked out and several approaches to solve the weakness in the DNS are discussed with emphasis on hardening the name server implementations and the usage of strong cryptographic metho ds for authentication. 4 UNIX is a trademark of Novell 3 2 The Problem 2.1 Statement of the Problem Authenticity is based on the identity of some entity. This entity has to prove that it is genuine. In many network applications the identity of participating entities is simply determined by their names or addresses. High{level applications use mainly names for authentication purp oses, b ecause address lists are much harder to create, understand, and maintain than name lists. Assuming an entitywants to sp o of the identity of some other entity, it is in some cases enough to change the mapping b etween its low{level address and its high{level name. That means that an attacker can fake the name of someone by mo difying the asso ciation of his address from his own name to the name he wants to imp ersonate. Once an attacker has done that, an authenticator can no longer distinguish b etween the true and the faked entity. This describ es the fundamental problem on which this pap er is based: If the binding pro cess b etween names and addresses cannot b e trusted fully, no one can rely on an authentication pro cess on a high{level. 2.2 The Problem in the DNS To understand the metho d how to deceive the DNS we rst give an example for avalid name resolution in the DNS. The resolution is based on the client{server paradigm. Any pro cess that accepts a connection from another host receives from its lower proto col layer the connecting host's IP address. The pro cess then calls its lo cal resolver with this IP address as an argument and requests the according hostname.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    21 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us