CS 392/CS 681 - Computer Security · PDF fileCS 392/CS 681 - Computer Security Nasir Memon ... n Insert link to P3P policy reference file in HTML content. ... PipeNet Connection ++++

CS 392/CS 681 - Computer Security

Nasir Memon – Polytechnic UniversityModule 4 – Identity and Authentication

10/02/03 Module 4 - Identity and Auth. 2

Course Logistics

n Lab 3 postponed to Monday.n Lab 4 posted. Design due next week.

Implementation due Oct 23. Start Early!!n Midterm Oct 16. Review next week.n Old exams posted on website.n Lab still not stable. VPN connections soon.n Lab policies.


Identity and Authentication

n What is identity?A computer’s representation of an unique entity (principal).

n What is authentication?Binding principal to system’s internal representation of identity.

n Why do we need identity?n Accountabilityn Access control


Identity for Files and Objects

n Files and other objects identified by “names”n File name – humans use.n File descriptor or handle – process use.n File allocation table entry – kernel use.

n Example n Unix – inodes, file descriptors, relative and

absolute path names.n URL’s – Uniform Resource Locator.


Identity for Users

n User identity (UID)n Identity of a single entityn System represents user identity in different ways.n Not always human/physical entity.

n Example – Unixn Login namen UID - integer. UID 0 is root.n Logging done using login name.

n Same principal may have different identities.n Real and effective UID in UNIX. Used by SUID programs.n Saved UID – Free BSD and Solaris.n Audit or login UID – set at login and never changed. Allows

one to track the original UID of a process.


Groups and Rolesn Users may need to share resources.n Groups allow assignment of rights to multiple

principals simultaneously.n Group identity is static or can change.n Example – UNIX

n Each user assigned to one or more groups.n Each process has user id and group id.

n Role is a type of group that ties membership to function.n Sysadmin role, Backup role, webmaster role etc.n Allows finer grained control over access rights.n Mimics organizational structure of an enterprise.


Naming and Certificates

n Certification authority’s vouch for the identity of an entity - Distinguished Names (DN)./O=Polytechnic University/OU=CS/CN=John Doe

n Although CN may be same, DN is different.n Policies of certification

n Authentication policyWhat level of authentication is required to identify the principal.

n Issuance policyGiven the identity of principal will the CA issue a certificate?


Types of Certificates

n CA’s vouch at some level the identity of the principal.

n Example – Verisign:n Class 1 – Email addressn Class 2 – Name and address verified through

database.n Class 3- Background check.


Internet Certificate Hierarchy

Internet Policy Registration Authority

Policy Certification Authorities

Certification Authority

Individuals/roles/orgs.

Read example on page 396 of text


Types of certificates

n Organizational CertificatesPrincipal’s affiliation with an organization

n Residential certificatesPrincipal’s affiliation with an address

n Persona CertificatesPrincipal’s Identity

n Principal need not be a person. It could be a role.

n Is anonymous certificate an oxymoron? n They do get issued!


Conflicts

n X.509, PGP and IPRA remain silent on conflicts.

n They assume CA’s and PCA’s will ensure that no conflicts arise.

n But in practice conflicts may exist –n John A. Smith and John B. Smith may live at the

same address.


Assumptions

n A certificate is the binding of an external identity to a cryptographic key and a distinguished name. If the issuer can be fooled, all who rely upon the certificate can be fooled L

What is the underlying assumption?

TRUST!


Identity on the internet

n Host Identityn Related to network. Each network “layer” may use

a different name. All names point to the same host but within different context.

n Hostname, IP address, Ethernet (MAC) address.n Databases contain mappings between different

names.n Can be spoofed. Mapping mechanism may not be

secure.

n Static and dynamic identifiers.n DHCP, NAT. Local identifiers and global identifiers.


Privacy and Anonymity on the webThe New Yorker5 July 1993

Not Really!!


Privacy

n We take privacy in our daily lives for grantedn On the internet that is not the casen Examples:

n Pentium III chip serial numbersn Read via software (ActiveX or Applets)n Helps track a user over the webn After pressure from privacy activists Intel decided to

turn it off by defaultn Could be turned on by software?


Privacy

n Cookiesn Used to keep a track of the sites you visitn double-click and other advertising agencies are main

employers of cookies

n Carnivore sniffern Employed by the FBIn Almost all emails can be scanned in real timen You could encrypt your message


Privacy

n Echelonn Employed by NSAn Global surveillance systemn Participated by Australia, New Zealand, UK, and US

n E-businesses databasesn Personal information provided sold for profitn Database security flows could expose customer data,

i.e. expose of credit card information


Platform for Privacy Preferences (P3P)n P3Pn Developed by World Wide Web Consortiumn Protocol allowing users to interrogate websites about

privacyn P3P-enabled site posts machine-readable privacy

policy summary (IBM P3P editor, PrivacyBot)n User sets up his privacy preferences in his browsern User’s browser examines the summary; does not

allow access to non-compliant sitesn Compliance is voluntary. Validator available.n For more info see http://www.w3.org/P3P/


Using P3P on your Web site1. Formulate privacy policy2. Translate privacy policy into P3P format

n Use a policy generator tool

3. Place P3P policy on web siten One policy for entire site or multiple policies for different parts of

the site

4. Associate policy with web resources:n Place P3P policy reference file (which identifies location of

relevant policy file) at well-known location on server;n Configure server to insert P3P header with link to P3P policy

reference file; orn Insert link to P3P policy reference file in HTML content


A Simple HTTP transaction

WebServerGET /index.html HTTP/1.1

Host: www.att.com. . . Request web page

HTTP/1.1 200 OKContent-Type: text/html. . . Send web page

SOURCE: W3.ORG


Transaction with P3P 1.0

WebServer

GET /w3c/p3p.xml HTTP/1.1Host: www.att.comRequest Policy Reference File

Send Policy Reference File

GET /index.html HTTP/1.1Host: www.att.com. . . Request web page

HTTP/1.1 200 OKContent-Type: text/html. . . Send web page

Request P3P Policy

Send P3P Policy

SOURCE: W3.ORG


Ways to Achieve Privacy

n Encryptionn Privacy of content

n Compromised end nodes could expose everythingn CPO (chief Privacy Officer) post in companies

n Anonymityn Privacy of connection


Why Anonymity?

n A report by the American Association for the Advancement of Science (AAAS) found that:n Anonymous communication online is a morally

neutral technology.

n Anonymous communication should be regarded as a strong human right; in the U.S. it is a constitutional right (2nd amend.).


Why Anonymity?

n The Internet provides previously inconceivable opportunities for gathering info about YOU!

n Anonymous communication would provide ability for spamming, deception, and fraud.n In reality, most anonymous protocols require cooperation of

recipient.

n For “good” people: provides privacy over the net, allows anon tips for police and journalists, whistle-blowing, discussion groups.


What is Anonymity?

n Anonymus:n of unknown authorship or origin, lacking individuality,

distinction, or recognizability <the anonymous faces in the crowd>n Merriam-Webster's Collegiate Dictionary

n Anonymity does not mean that you cannot be identified.

n Anonymity means that you are indistinguishable from some particular group; The likelihood that you are the originator of a message is reduced.


Types of Anonymity

n Pfitzman and Waidner discuss 3 types of anonymity:n Sender Anonymityn Receiver Anonymityn Unlinkability of Sender and Receiver


Levels of Anonymity

n The probability of x being the initiatorn The degree of anonymity

absolute privacy

beyondsuspicion

probableinnocence

possibleinnocence

exposed provablyexposed

?p (x))(1 xpd Ix −=

0=xd021

>> xd1=xd21

>> xy ddyx dd >21=xd

Ref.: Shields, C. and Levine, B.N. 2000. A protocol for Anonymous Communication Over the Internet.


Informal Definition

n Absolute Privacy means that the attacker has no way to distinguish the situation in which a potential sender actually sent communication and those in which it did not.

n Beyond Suspicion means that the attacker can not distinguish between a set of possible senders.


Informal Definition

n Probable Innocence if in the attackers point of view, the sender appears no more likely to be the originator

n Possible Innocence from the attackers point of view if there is a nontrivial probability that the real sender is someone else.


Informal Definition

n Exposed if from the attackers point of view there is a high probability about who the sender is.

n Provably Exposed if the attacker can identify the identity of the sender and prove it to everyone else.


Proposed Solutions

Ref.: Claessens, Preneel, Vandewalle. Solution for Anonymous Communication on the Internet. IEEE 1999

++++++E-mailType 2 remailer

++++E-mailType 1 remailer

-++WWW browseRewebber/TAZ

+++++WWW browseCrowds

++++WWW browseLPWA

++++WWW browseAnonymizer

-++E-mailBabel

++++E-mailType 0 remailer

++++E-mailPseudonym

++++++ConnectionFreedom Network

-++++ConnectionPipeNet

++++ConnectionOnion Routing

AvailabilityAnonymityApplication


n Anonymizer.com, Lucent personalized web assistant.n Connections between initiator and responder using a

proxy.

n Must trust the proxy!

Single Proxy Approach

I

R

P


Pseudonymity tools

quote.com

nytimes.com

expedia.com

mfjh

asef

dsfdf

Proxy

Automatically generate user names, passwords,email addresses, etc. unique to each web site you visit

username


Chaum Mixes (1981)

B, kAC kB

Sender routes message randomly through network of “Mixes”, using layered public-key encryption.

Mix A

dest,msg kC

C kBdest,msg kC

dest,msg kC

Sender

msgMix C

kX = encrypted with public key of Mix X

Mix B


Crowds

1

2

6

3

5

4

3

5

1

6

24

Crowd members Web servers


Authentication

n “Authentication is binding of an identity to a subject.”

n What information can be used to establish this bindingn What the subject knows (secrets)n What the entity has (smart cards)n What the entity is (retinal prints)n Where the entity is (current location)

n Our focus is on subjects’ secrets!


Password based authentication

n Simple and natural mechanism. Widely used.n How do we store passwords?

n Encrypted password filen Fixed messages encrypted with passwordsn Hash of password

n First is not a good idean Second and third widely used.


Unix login and user accounts

n Users identified by usernames and authenticated by passwords

n Passwords used as key to encrypt the all zero word using crypt which uses a modified version of DES repeated 25 times. Result stored in /etc/passwd file

n All authorized users have an entry in the password file

n User name usually 8 characters and represented internally by 16 bit number –UID


The /etc/passwd file

n An entry looks as follows:jdoe:987hggw2fd435:103:1001:John Doe: /home/jdoe:/bin/csh

n The fields are (in order): Username, User’s “encrypted password”, UID, GID, User information (GECOS) field, User’s home directory and User’s shell.

n “Invalid Entry” (usually ‘*’, in password field indicates non-login account.

n In a distributed environment, passwd file entry may be somewhere on the “network”.


A sample /etc/passwd fileroot:3rztyHOkz3ZQc:0:0:root:/root:/bin/bash (if no shadow)root:*:0:0:root:/root:/bin/bash (if passwords shadowed)

bin:*:1:1:bin:/bin:daemon:*:2:2:daemon:/sbin:adm:*:3:4:adm:/var/adm:mail:*:8:12:mail:/var/spool/mail:news:*:9:13:news:/var/spool/news:uucp:*:10:14:uucp:/var/spool/uucp:operator:*:11:0:operator:/root:ftp:*:14:50:FTP User:/home/ftp:memon:*:500:500:Nasir Memon:/home/memon:/bin/bashdyu::501:501::/home/dyu:/bin/bashyuhong::502:502:yuhong yu:/home/yuhong:/bin/bashsachin:*:503:503:Sachin Tendulkar:/home/sachin:/bin/bash


The “password encryption” algorithm


Crypt

n First eight characters password used as the DES key to encrypt constant 64-bit block (consisting of all zero bits) via DES 25 times

n The result of each encryption is used to feed the next round.

n The resultant 64-bits is converted into a string of 11 printable ASCII characters by encoding every six bits into a printable ASCII character and zero padding the 11th character.


The role of Salt

• The salt is used to perturb the E expansion block. • When a password is first selected, the password

encryption program selects a random 12-bit number as the salt.

• Salt and the result is stored in password file. • Later on, when the user attempts to login the salt is

extracted from the password file and is used• The effect of salting is to allow for 4096 possible

encryptions of same password string.• With Salt two users may have the same password

but the “encrypted” versions would look different.


Salt perturbation mechanism


Dictionary attack

n To find a user’s password from the encrypted password -n Searching through all possible keys? No!n Search through all passwords is better!

n Password can be found by encrypting dictionary of possible passwords with all possible salts and comparing the result.

n Total number of passwords can be large - 708

n Set of typical passwords is surprisingly small!


Improvements

n Keep encryption algorithm secretn Security by obscurity is always a bad idea.

n Keep password file hidden from non-privligedusersn Widely used. Shadow file in Unix.

n Slow down password encryption algorithmn Unix also runs on 386 based linux box.

n Enforce better passwords.n Other mechanisms?

n One-time passwords, Biometrics, Smart cards, etc.


Rules for good passwords

n Have both upper case and lower case lettersn Have digits and punctuation characters as

well as lettersn May include some control characters and/or

spacesn Are easy to remember so that they do not

have to be written downn Are close to the maximum allowed length (at

least seven or eight characters long).


NT/W2K/WXP Passwords

n Passwords stored in encrypted form in SAM database which is part of the registry.

n SAM database is world readable but always in use, so effectively locked.

n There are actually two encrypted passwordsn LAN Manager password n NT password


LAN Manager Hash

n Developed by Microsoft for OS/2n Algorithm:

n Truncate/Pad password to 14 charactersn Upcase passwordn Split the password into two 7-byte halvesn using DES, build {c}k1 + {c}k2 , c a constant


Cracking NT passwords

n LANMAN (LM) Hash is weak and can be easily brute forced! n Breaking up into two pieces and encrypting them

separately is a dumb idea!! You just have to crack one piece at a time.

n Passwords are upper cased!!!n In fact, there is nothing much gained by having a

password longer than 7 characters! n LM hash can be disabled but Win95/98 only uses

LM hash, so often not disabled.n Make sure you use special characters in NT

passwords.


NT hash

n Later systems (NT and 95) calculateMD4(unicode password)

n … but there’s still no saltn and the password space is still smalln and most applications need to calculate both

NT hash and LMHash for backwards-compatibility


How to get Password hashes?n Registry

n If you have administrator rights you can dump password hashes from you local machine or over the network if the remote machine allows network registry access.

n SAM Filen Since OS holds a lock on the SAM file it is not possible to

just read them while the OS is running. Sometimes a backup of this file is made on tape or on an Emergency Repair Disk or in the repair directory of the system hard drive. Also, another OS such as DOS can be booted from a floppy and the password hashes can be read directly from the file system!!

n SMB Packet Capturen You can capture encrypted hashes over the network!


Authenticating over a Network

n Previous techniques are for console/workstation login. What about logging in via network?n FTP, Telnet, Rlogin, PAP, send passwords to the

remote machine. Can easily be sniffed. Use ssh!!n For NT the procedure is more involved but has a

flawed part (LM hash!)

n What we need is a challenge response protocol that is resistant to brute force and also can resist active (For example, replay and man-in-the-middle) attacks.


NT Remote Login – Challenge-Response Mechanism

n User enters password, client calculates its 16 byte hash (LM and NT) and remembers for future use.

n When client connects to server, the server generates an 8-byte random value which it sends to the client.

n Client pads 16-byte hash with 5 null bytes to get 3 56-bit DES keys. 8-byte random challenge DES encrypted with each DES key, generating a 24-byte response.

n Server compares response to that generated by user's hash values from it's password database.

n Someone sniffing only sees 8-byte challenge and 24-byte response. To obtain original hash attacker must perform three brute force DES attacks Not!

n If LM hash sent, it can be easily brute forced! – How??


Defeating NT protocol with modified client.

n Hashed password (uncracked) is password equivalent!n Client does not actually need to know the password. It

only needs to know the hashed password! The regular client software has the end user input his/her password and calculates the hashed password from the manually entered original password.

n If you have a modified client which has access to a stolen copy of uncracked Windows/NT password database, client can look up hash value to use to calculate response. Client can get authenticated without knowing the original (clear text) password!

n This means that even a good password (dictionary attack resistant) can be misused!


CHAPn Challenge Handshake Authentication Protocol (RFC

1334 and 1994).n After link establishment, authenticator send 64 bit

“challenge” to client (peer).n Peer responds with “one-way hash” of challenge and

secret (password).n Authenticator checks response by computing “one-

way hash” with its own copy of secret. If match, access allowed, else not.

n Password stored in cleartext on authenticator!!n At random intervals, challenge response repeated

with new challenge value each time.


MS-CHAP

n C->S challenge, please?n S->C 8-byte challengen C calculates NT and LM hashes, pads to 21 bytesn C divides NT and LM hash into 3 7-byte keys

each and uses them to encrypt the challengen C->S {challenge}k1 + {challenge}k2 +

{challenge}k3 , preferred hashn Both hashes are always sent


Problems with MS-CHAP

n Protocol is vulnerable to flaws in LM hashesn Many ways to speed up key searches:

n Null padding means the third key only has 215

possibilities - this gets us 2 key bytes for cheap.n Once we’ve got these, we guess the middle keys,

encrypt the LAN Manager constant under our guess and check just the last two bytes against them.

n Finally, we brute-force the first 7 bytes


MS-CHAP v21. Client requests a login challenge from the Server.2. The Server sends back a 16-byte random challenge.3a. The Client generates a random 16-byte number, called the

Peer Authenticator Challenge."3b. The Client generates an 8-byte challenge by hashing the

16-byte challenge received in step (2), the 16-byte Peer Authenticator Challenge generated in step (3a), and the Client's username.

3c. Client creates a 24-byte reply, using the Windows NT hash function and the 8-byte challenge generated in step (3b). This process is identical to MS-CHAPv1.

3d. The Client sends the Server the results of steps (3a) and (3c).


MS-CHAP v2

4a. The Server uses the hashes of the Client's password, stored in a database,to decrypt the replies. If the decrypted blocks match the challenge, the Client is authenticated.

4b. The Server uses the 16-byte Peer Authenticator Challenge from the client, as well as the Client's hashed password, to create a 20-byte Authenticator Response."

5. The Client also computes the Authenticator Response. If the computed response matches the received response, the Server is authenticated.


Deriving the 20-byte Authenticator Response

n The Server (or the Client) hashes the 16-byte NT password hash with to get password-hash-hash. (The Server stores the client's password hashed with MD4; this is the NT password hash value.)

n The Server concatenates the password-hash-hash, the 24-byte NT response, and the literal string "Magic server to client constant", and then hashes the result with SHA.

n The Server concatenates the 20-byte SHA output from step (2), the initial 8-byte generated challenge and the literal string "Pad to make it do more than one iteration", and then hashes the result with SHA.

n Resulting 20 bytes are the authenticator response.


Version Rollback Attackn Since Microsoft has attempted to retain some backwards

compatibility with MS-CHAPv1, it is possible for an attacker to mount a "version rollback attack" .

n In this attack, the attacker convinces both the Client and the Server not to negotiate the more secure MS-CHAPv2 protocol, but to use the less secure MS-CHAPv1 protocol.

n Microsoft claims that the operating systems will try to negotiate MS-CHAPv2 first, and only drop back to MS-CHAPv1 if the first negotiation fails

n Additionally, it is possible to set the Server to require MS-CHAPv2. n Software switches to turn off backwards compatibility are registry

settings, and can be difficult to find. n Since older versions of Windows cannot support MS-CHAPv2,

backwards compatibility must be turned on if there are any legacy users on the network.

n Hence version rollback attacks are a significant threat.


MS-CHAP v1 and v2

Client sends 16-byte peer challenge that was used in creating the hidden 8-byte challenge, and the 24-byte NT response.

Client sends 24-byte LANMAN and 24-byte NT response to 8-byte challenge.

Server sends a 16-byte value to be used by the client in creating an 8-byte challenge value.

Server sends an 8-byte challenge value.

Negotiates CHAP with an algorithm value of 0x81.

Negotiates CHAP with an algorithm value of 0x80.

MS-CHAP Version 2MS-CHAP Version 1


MS-CHAP v1 and v2

Client decides to continue or end based upon the SUCCESS or FAILURE response above. In addition, Client checks the validity of the Authenticator Response and disconnects if it is not the expected value.

Client decides to continue or end based upon the SUCCESS or FAILURE response above.

Server sends a response stating SUCCESS or FAILURE and piggybacks an Authenticator Response to the 16-byte peer challenge.

Server sends a response stating SUCCESS or FAILURE.


One-Time Passwords

n Password is invalidated as soon as it’s usedn Two properties of one-time password scheme

n Passwords should be randomly generatedn Client and server must be synchronized

n Lamport suggested following schemeGenerate: h(k0)=k1, h(k1)=k2, h(k2)=k3 … h(kn-1)=kn

Register kn with server.Use in this order: p1= kn-1, p2= kn-2 … pn-1=k1

n S/Key and OPIE (One Time Passwords In Everything)


Kerberos

n An authentication service for distributed systems.n Client Workstations – Public places, untrusted

software.n Server Machines – Moderately secure rooms,

potentially untrusted software.n Key distribution machines (KDC’s) – Secure areas,

trusted software.

n Developed at MIT – Project Athena. n Current Version 5.


Kerberos - Goals

n Securen Next slide.

n Reliablen Lack of availability of kerberos service means lack

of availability of supported service.

n Transparentn Minimum modification to existing network

applications.

n Scalablen Modular distributed architecture.


Kerberos – Security Goals

n No cleartext passwords over network.n No cleartext passwords stored on servers.n Minimum exposure of client and server keys.n Compromises should only affect current

session.n Limited authentication time but reusable

within that time.n Require password only at login.


Kerberos - Assumptions

n Public key crypto is too expensive. DES is good enough.

n Global clock.n There is a way to distribute authorization

data.n Kerberos provides authentication and not

authorization.


Kerberos Authentication (1)

Joe KDCI would like toTalk to the File Server

KDC

Step 1Joe toKDC

Step 2KDC Session key

for User

Session key for service



Step 3KDC

Session Key forJoe

Dear Joe,This key for File server

Box 1

LockedWith Joe’skey

Session Key forFile server

Dear File server,This key for Use with Joe

Box 2

LockedWith FileServer’skey

Joe KDCStep 4KDC to Joe

Box 1 Box 2



Dear Joe,This key for File server

OpenedBox 1 Session Key for

File server


Box 2


Step 5Joe

Step 6Joe

Session Key forFile server


Box 2


Dear File server,The time is

3:40 pm

Box 3

LockedWith Sessionkey



Joe FileServer

Step 7Joe toFileserver

Box 2 Box 3

Step 8Fileserver Dear File server,

This key for Use with Joe

UnlockedBox 2

Dear File server,The time is

3:40 pm

UnlockedBox 3



n For mutual authentication, file server can create box 4 with time stamp and encrypt with session key and send to Joe.

n Box 2 is called ticket.n KDC issues ticket only after authenticating

passwordn To avoid entering passwords every time

access needed, KDC split into two –authenticating server and ticket granting server.


Kerberos– One Slide Overview


Kerberos – Protecting Application Data.

n A by-product of the Kerberos authentication protocol is the exchange of the session key between the client and the server – this can be used for encryption.

n Kerberos defines two message types - safe message and private message to encapsulate data that must be protected, but the application is free to use another method.


Kerberos – Additional features and extensions

n Features present in Version 5 include n renewable and forwardable ticketsn support for higher level authorization mechanisms.n support for multi-hop cross-realm authentication.

n Extensions includen One time passwordsn Public Key Cryptographyn Change password protocoln Realm mixed in with password prior to hash,

enabling same password in multiple realms in more secure manner.

n Pre-authentication


Kerberos - Limitations

n Every network service must be individually modified for use with Kerberos.

n Does not work well in time-sharing environment (Keeps keys in /tmp!!). One user per workstation.

n Requires secure Kerberos server.n Requires continuously available server.n Stores all passwords with single key.n Does not protect against Trojan horses on

clients.


Further Reading

n Unix password securityhttp://www.ja.net/CERT/Belgers/UNIX-password-security.html

n L0pht Heavy Industries http://www.l0pht.com/(NT password security and cracker)

n MIT Kerberos site: http://web.mit.edu/kerberos/www/

n Kerberos RFC ftp://ftp.isi.edu/in-notes/rfc1510.txt

Documents

CS 392/CS 681 - Computer Security · PDF fileCS 392/CS 681 - Computer Security Nasir Memon ... n Insert link to P3P policy reference file in HTML content. ... PipeNet Connection ++++