Embed Size (px)
Citation preview
254542 Networks Management and
Security
Lecture 4
Authentication Protocols
• A process of verifying that its communication partner is not an imposter
• Authenticity does not mean authority
• Alice and Bob are called principals
• Authenticated based on..– Shared secret key– trusted 3rd party = key distribution center (KDC)
Secret-key Authentication
• Assuming A and B already share KAB
• Based on challenges and responses
• Ri = Challenge from the ith challenger
• Ki = Key from the ith owner
• KS = session key
Authentication using a challenge-response protocol
AA
RRBB
KKABAB(R(RBB))
RRAA
KKABAB(R(RAA))
Alic
eA
lice
Bo
bB
ob
After all the responses, A can determine KAfter all the responses, A can determine KSS
and send it to B in an encrypted formand send it to B in an encrypted form
Shortened authentication using challenge-response protocol
A, RA, RAA
RRBB, K, KABAB(R(RAA))
KKABAB(R(RBB))
Alic
eA
lice
Bo
bB
ob
Is it secure?Is it secure?
Reflection Attack
A, RA, RTT
RRBB, K, KABAB(R(RTT))
KKABAB(R(RBB))
Tru
dyT
rudy
Bo
bB
obA, RA, RBB
RRB2B2, K, KABAB(R(RBB))
3 Rules for Designing Authentication Protocol
• Prove the initiator’s identity before the responder has to
• Use different keys for the initiator and responder (i.e. KAB and K’AB)
• The initiator and responder should use different sets of challenges (e.g. even and odd numbers)
Authentication Based on KDC
• Previous protocol key management problem• With KDC, each user has a single shared key• The simplest known protocol = wide mouth frog
A, KA, KAA(B, K(B, KSS))
Alic
eA
lice
Bo
bB
ob
KKBB(A, K(A, KSS))
KD
CK
DC
What about a replay attack?What about a replay attack?
Solutions to the Replay Attack
• Timestamp– Still vulnerable before a message is obsolete
• Nonce (one-time, unique message number)– Each party has to remember nonces forever– Or a combination between nonce & timestamp
Needham-Schroeder Authentication Protocol
RRAA, A, B, A, B
Alic
eA
lice
Bo
bB
ob
KKBB(A, K(A, KSS), K), KSS(R(RA2A2))
KD
CK
DC
KKAA(R(RAA, B, K, B, KSS, K, KBB(A, K(A, KSS))))
KKSS(R(RA2A2 -1), R -1), RBB
KKSS(R(RBB -1) -1)
RRAA = Nonce, K = Nonce, KBB(A, K(A, KSS) = Ticket) = Ticket
* Replay attack at message 3 with old K* Replay attack at message 3 with old KSS
Otway-Rees Authentication ProtocolA
lice
Alic
e
Bo
bB
ob
KD
CK
DC
A, KA, KAA(A, B, R, R(A, B, R, RAA),),
B, KB, KBB(A, B, R, R(A, B, R, RBB))
KKBB(R(RBB, K, KSS))
KKAA(R(RAA, K, KSS))
A, B, R, KA, B, R, KAA(A, B, R, R(A, B, R, RAA))
Authentication using Kerberos
• Developed by MIT, currently in version 5• Widely used in real world• Assumes that all clocks are well synchronized• Involves 3 servers
– Authentication Server (AS) verifies users during login– Ticket-Granting Server (TGS) issues “proof of identity
tickets”– Bob the server performs work requested by Alice
Servers’ duties
• AS – Shares a secret key with every user– Similar to KDC
• TGS– Issues tickets to verify the identity of the TGS
ticket bearer
Kerberos Operation
AA
Alic
eA
lice KKTGSTGS(A, K(A, KSS), B, K), B, KSS(t)(t)
AS
AS
KKAA(K(KSS, K, KTGSTGS(A, K(A, KSS))))
KKBB(A, K(A, KABAB), K), KABAB(t)(t)
KKABAB(t+1)(t+1)
TG
ST
GS
Bo
bB
ob
KKSS(B, K(B, KABAB), K), KBB(A, K(A, KABAB))
• Alice is asked for her password after message 2 arrivesAlice is asked for her password after message 2 arrives
• Replay attack with message 3 doesn’t workReplay attack with message 3 doesn’t work
Kerberos in Real World
• Still susceptible to password-guessing attack– Heighten security at the user end
• PKI (public-key infrastructure) is being added into Kerberos– But still confined to initial requests to TGS
(why?)
Intrusion Detection Systems (IDS)
• Do not– Block or prevent attacks
• Do– Notify the systems when they are being hacked
• Host and Network IDS– NIDS mostly looks at the network traffic
• Detecting potential attacks
– Host IDS looks at host, OS, and application activities• Detecting attacks that already succeeded
IDS tools
• Auditing
• Detecting anomalous behaviors
• Pattern matching and detecting
• CERT (Computer Emergency Response Team) bulletin board – lists security problems that have been
discovered and reported
Auditing
• Logfile monitors– Host-based IDS scanning and analyzing
logfile– Pattern searching
• Integrity monitors– Watch key system structures (system files,
registry keys, etc) for change– Establish a ‘known safe baseline” (pre-attack)– Should be deployed on a clean system
Signature Matchers
• A stateful NIDS that detects attacks based on a database of known attack signatures– Stateful means that it can track fragmented
TCP packets (and reassemble them)– Stateless deals with individual packets
• E.g. snort (http://www.Snort.org), which is a freeware and open source
Anomaly Detectors
• NIDS, which – establishes a baseline of “normal” system– alerts when a deviation occurs– sometimes categorized into “traffic anomalies”
and “protocol anomalies”
• Problem: Network traffic is constantly changing, especially in large networks– Hybrid into a more host-based IDS
Interesting Profiles Worth Watching
• Login profile– Login/location frequency, last login– Session elapsed time, session output– Password fails, location fails
• Command/Program execution – Execution frequency, Program IO, program CPU– Execution denied, Program resource exhaustion
• File access activities– Read/write/delete/create frequency– Number of fails on read/write/delete/create– Number of records read/written– File resource exhaustion
Bayesian Analysis
• Applied to NIDS for diagnosis purpose
• NIDS problems– Keeping signature databases up to date– Coping with massive bandwidth (especially a
stateful NIDS)– Capabilities limited in switched networks– Vulnerable to attacks (e.g. DoS)
Sensitivity vs. Specificity
• TP = true positive (intrusion correctly detected)• FP = false positive (false alarm)• FN = false negative (intrusion missed)• TN = true negative (integrity correctly detected)
IntrusionIntrusion+ + --
IDS IDS responseresponse
++
--
TPTP FPFP
FNFN TNTN
Sensitivity
• Sensitivity = True positives /
(true positives + false negatives)
• More sensitivity = Less likeliness to miss actual intrusions
• For identifying attacks …– that should never be missed
– on areas that are easy to fix
• Best for “screening” (FN is more critical)
• Should be implemented here
InternetInternet
Corporate Corporate firewallfirewall
Web serverWeb server LANLAN
RouterRouter
Specificity
InternetInternet
Corporate Corporate firewallfirewall
Web serverWeb server LANLAN
RouterRouter
• Specificity = True negatives / (true negatives + false positives)
• More specificity = Less likeliness to produce false alarms– Useful tools for network
administrator
• For identifying attacks …– on areas in which automatic
diagnosis is critical
• Best when…– consequences for false-positive
results are serious
• Should be implemented here
Accuracy
• Accuracy = Percentage of all IDS results that are correct
• Encompass both sensitivity and specificity
• E.g. web server under constant attacks that needs– Screening for any slight
anomaly
– Automatic processes to deal with any incident (due to high traffic volume)
• Can be achieved by combining layers of different IDSs
InternetInternet
Corporate Corporate firewallfirewall
Web serverWeb server LANLAN
RouterRouter
Hacking IDSs:Fragmentation
• A.k.a. packet splitting
• Most common attack against NIDSs
• Splitting packets into smaller pieces – Difficult for analyses
• Stateful IDSs can prevent this attack but– Consume a more resources and become less
accurate as throughput increases
Hacking IDSs:Spoofing
• Spoofing TCP sequence numbers
• IDS becomes desynchronized from the host– And then ignores true data stream while
waiting for a forged sequence number
• IDS must be aware of the real target host
Hacking IDSs:Protocol Mutation
• For example, a typical CGI-bin request isGET /cgi-bin/script.cgi HTTP/1.0
• If IDS scans for /cgi-bin/cgi_script
• The attacker can modify the request toGET /cgi-bin/subdir/../script.cgi HTTP/1.0
“directory traversal”
• Solution: – Normalize traffic to look more uniform
Hacking IDSs:Attacking Integrity Checkers
• Integrity checkers– Initialize mode: compute checksum and collect
information– Check mode: look for changes– Update mode: update signature after system
reconfiguration
• Attacks– Send wrong information– Compromise the system between checks– Hide tracks by “correcting” the system by itself
Future of IDSs
• Encrypted traffic (IPSec)
• Increased speed and complexity of attacks
• Increased amount of data to interpret
• New evasion techniques
• New kernel-based attack
• Embed IDS throughout host stack
• Strict anomaly detection, optimized NIDS engines, intelligent pattern matching
• Visual display of data
• New traffic normalization techniques and deeper host awareness
• New kernel security mechanisms
ProblemProblem SolutionSolution
