Week3 lecture


Published on

Published in: Education
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Kerberos was developed at MIT and is part of Project Athena. The idea is to have a centralized server that authorizes every client-server connection on a distributed network.
  • Kerberos was developed at MIT and is part of Project Athena. The idea is to have a centralized server that authorizes every client-server connection on a distributed network.
  • Week3 lecture

    1. 1. Week3-Lecture: Access Control Chapter Covered: 3,4,8,11,22CIT 515-Network and Internet Security Dr. May El Barachi
    2. 2. Reading and Quiz Materials• Chapter3 : Pages 53-56• Chapter4: Pages 66-76• Chpater8: Pages 199-203• Chapter11: Pages 264-280• Chapter22:Pages 577-581
    3. 3. Objectives Access Control Authentication Methods  Password, Token, Biometric  Single Sign On vs. Password Synchronization  Kerberos, Sesame Access Control Models  DAC, MAC, RMAC Access Control Administration  Centralized, Decentralized Access Control Types  Technical, Physical, Administrative5. Access Control Categories  Deterrent, Preventive, ….  Access Control Principles  Access Control Attacks & Countermeasures  Access Control Assessment
    4. 4. Objectives Authentication: Who goes there?  Determine whether access is allowed  Verify the identity of a subject  Authenticate human to machine  Authenticate machine to machine Authorization: Are you allowed to do that?  Once you have access, what can you do?  Enforces limits on actions
    5. 5. Authentication MethodsTo verify their identity, users can provide: Something you know Username and Password Birthday, Address, Passport Number Something you have Smart Card Token ATM Card Something you are  Biometrics Where you are?  IP  GPS
    6. 6. Two Factor Authentication (Strong Authentication)Combine two factors for authenticationusers
    7. 7. Password-Based Authentication How is the password communicated?  Eavesdropping (to listen to someones private conversation without them knowing) risk How is the password stored?  In the clear? Encrypted? Hashed? How does the system check the password?  Compute hash and compare to stored hash How can we make the hashed passwords harder to guess?  Use SALT
    8. 8. Some Comic
    9. 9. Password-Based Authentication How easy is it to identify the password? Electronic Monitoring (i.e. Network Sniffing) Keystroke loggers (HW & SW) Access the password file Password Guessing  Dictionary attacks  Brute Force attacks  Rainbow Tables Social Engineering  Phishing, Pharming, Vishing  Shoulder Surfing  Piggy Backing  Dumpster Diving Reverse Social Engineering
    10. 10. Password-Based Authentication – HW KeyLogger
    11. 11. Password-Based Authentication - Phishing
    12. 12. Password-Based AuthenticationPassword Controls Password length and composition Password aging Password history Password attempts Password storage One time passwords User education Last successful login attempt
    13. 13. Password-Based Authentication - HashingLM hash is weak, no longer used in Win 7NT hash is stronger, but not salted
    14. 14. Token-Based AuthenticationMore secure than passwords, however Tokens may suffer from battery failure Cards may get damagedTypes of tokens: Synchronous – based on time Asynchronous – based on challenge/response
    15. 15. Token-Based AuthenticationSynchronous Tokens Time Synchronized Authentication RSA or Firewall with RSA ACE Agent Internet RSA ACE Server Algorithm AlgorithmTime Seeds Time Seeds Same seeds Same time
    16. 16. Token-Based AuthenticationAsynchronous Tokens 6.Responses sent to Authen server 5.User enters responses from token into computer 1.Send Response to Authen Server 2. Challenge Displayed on CRT4. User resendsresponse fromtoken 7. Authentication Server Validates Client 3.User enters pin into token
    17. 17. Tokens Products - RSA
    18. 18. RSA Two-Factor Authentication Hacked – Mar 2011
    19. 19. RSA Two-Factor Authentication Hacked – Mar 2011
    20. 20. RSA Admits & Replaces 40 Million Tokens – 6/6/11
    21. 21. Tokens Products - Gemalto
    22. 22. Biometric-Based Authentication Face recognition  Error rates up to 20%, given reasonable variations in lighting, viewpoint and expression Fingerprints  Traditional method for identification  Distinguish between 30-40 details about peaks, valleys, and ridges of user’s fingerprint  1911: first US conviction on fingerprint evidence  U.K. traditionally requires 16-point match  Probability of false match is 1 in 10 billion  Fingerprint damage impairs recognition
    23. 23. Forging Fingerprints Using Molding
    24. 24. Forging Fingerprints Using Surgical Operations
    25. 25. Forging Fingerprints Using Actual Fingers
    26. 26. Biometric-Based Authentication Iris scanning  Takes a picture of the iris (colored part of eye)  Irises are very random, but stable through life  Differs between the two eyes of the individual  Equal error rate better than 1 in a million  Works with contact lenses and glasses  Best biometric mechanism currently known Retina pattern  Laser scans of blood vessels in the back of the eye  Retina can change due to medical conditions  Identifies user’s health (privacy issues?) Hand geometry  Identify the user by his fingers and hand Voice recognition
    27. 27. Biometric-Based AuthenticationFalse Rejection Rate (FRR) When the system rejects an authorized individualFalse Acceptance Rate (FAR)  When the system accepts an intruder who should be rejectedCrossover Error Rate (CER) Metric used to compare biometric systems When false rejection rate equals false acceptance rate
    28. 28. Single Sign On Single Sign On  A user authenticates once and then access resources in the environment without having to re-authenticate into each.  The user authenticates once to the SSO application. Anytime the user accesses a new application, the SSO application will send the necessary authentication information  Can be difficult to integrate among different applications and platforms
    29. 29. Reduced Single Sign On (Password Synchronization) Password Synchronization Like single sign-on (SSO), single credential for many systems But no inter-system session management User must log into each system separately, but they all use the same username and password Will the user choose a complex password?Weakness of SSO and RSSO Intruder can access all systems if password is compromised Best is to combine with two factor authentication
    30. 30. SSO SummaryTrusted authentication service on the network Knows all passwords: users and servers Time Sensitive Convenient ☺ Single point of failure Requires high level of physical security
    31. 31. SSO Summary SOS Server Knows all users’ and servers’ passwordsUser proves his identity;requests ticket for some service User gets ticket Servers Ticket is used to access desired network service User
    32. 32. SSO: Kerberos Network Authentication Protocol  Developed by MIT  Consists of 3 components:  Client  Server  Key Distribution Center (KDC)  Authentication Server (AS)  Ticket Granting Server (TGS) Process: Client obtains service ticket from KDC and present the tickets toservers when connections are established Cryptography Kerberos uses symmetric key encryption (DES)
    33. 33. SSO: Kerberos Steps User Ahmed Ticket Granting Ticket (TGT): User Name + User Address + Validity+ Session Key Key-TGS KerberosUser + Session Key AuthenticationKey-User Service Key-User TGT services Kerberos TGT-Key Ticket Granting user Service Key-Session KeyUser Ticket:Key-User +Session User Name + User Address + Validity + Session KeyKey+ (TGT) Key-Service
    34. 34. SSO: Kerberos Steps Tickets Key-ServiceUser +Key-User +Session Key+ (TGT) Confirmation Servers Key Session Key
    35. 35. SSO: SesameAnother SSO option is Sesame:Secure European System and Applications in a Multivendor EnvironmentKerberos uses symmetric encryption only Sesame uses symmetric and asymmetric encryption
    36. 36. Objectives Authentication: Who goes there?  Determine whether access is allowed  Verify the identity of a subject  Authenticate human to machine  Authenticate machine to machine Authorization: Are you allowed to do that?  Once you have access, what can you do?  Enforces limits on actions
    37. 37. Basic Access Control ConceptsSubjects Active entities that do things e.g. humansObjects Passive things that things are done to  e.g. files, data, websitesRights Actions that are taken e.g. read, write, share
    38. 38. Access Control ModelsAuthenticated users can access the system based on: Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RMAC) Rule-Based Access Control (RMAC)
    39. 39. Access Control ModelsDiscretionary Access Control (DAC)  Subjects have full control of objects they have  The “discretionary” part of DAC means that a file owner has the ability to change the permissions on that file  Most Common access control system. Commonly used in both UNIX and Windows operating systems  Uses file permissions and ACLs to restrict access based on the user’s identity or group membership  File’s owner can change the file’s permissions any time they want
    40. 40. Access Control ModelsMandatory Access Control (MAC)  Restricts access based on the sensitivity of the information and whether or not the user has the authority to access that information.  Each subject and object is labeled with a sensitivity level  U.S. Government security labels: • Top Secret (grave damage) • Secret (serious damage) • Confidential (damage) • Unclassified A subject may access an object only if its clearance isequal to or greater than the object’s label MAC systems are usually focused on preserving the confidentiality of data
    41. 41. Access Control ModelsRole-Based Access Control (RBAC) Role-based access control (RBAC) is the process of managing access and privileges based on the user’s assigned roles Example: SecurityAdmin, DatabaseAdmin, EmailAdmin, NurseRule-Based Access Control (RBAC) Access is either allowed or denied based on a set of predefined rules that are established by the administrator Example: Limited login hours, Limited BitTorrent traffic
    42. 42. Access Control Models ExamplesOrganization Goal Preferred Access Control ModelNormal Level of SecurityHigh Turnover RateHigh Level of Security
    43. 43. What Next? … Access Control Administration Once the organization determine what type of access control model it will be using  Its needs to identify administration type to support that model Access control administration can be: Centralized  Maintain username and permissions in one location  One entity makes all access decisions about AAA: Authentication, Authorization, and Accountability  e.g. SSO, RADIUS, Diameter, TACACS Decentralized  Store username and permissions in different locations  Allows the IT administration to be closer to the mission and  operations of the organization
    44. 44. Centralized Access Control Administration RADIUS  Remote Authentication Dial In User Service (RADIUS)  The protocol is a third party authentication system  Considered an “AAA” system, comprising three components: authentication, authorization, and accounting  Authenticates a subject’s credentials against an authentication  database  Authorizes users by allowing specific users access to specific  data objects  Accounts for each data session by creating a log entry for each  RADIUS connection made
    45. 45. Centralized Access Control Administration Diameter  RADIUS’s successor, designed to provide an improved Authentication, Authorization, and Accounting (AAA) framework  RADIUS provides limited accountability and has problems with flexibility, scalability, reliability, and security  Diameter more flexible, allowing support for mobile remote users TACACS & TACACS+ Terminal Access Controller Access Control System (TACACS) A centralized access control system that requires users to send an ID and a static (reusable) password for authentication Reusable passwords are a security vulnerability:  Improved TACACS+ provides better password protection by allowing two-factor strong authentication
    46. 46. Centralized Access Control Administration Password Authentication Protocol (PAP)  Not a strong authentication method  A user enters a password, which is sent across the network in  clear text.  Sniffing the network may disclose plaintext passwords Challenge Handshake Authentication Protocol (CHAP)  Provides protection against playback attacks  Uses a central location that challenges remote users  CHAP depends upon a “secret” known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set may easily be used for mutual
    47. 47. What Next? … Access Control Techniques Once the organization determine what type of accesscontrol model and administration it will be using  It needs to identify techniques to support that model Access control techniques can have three types:  Administrative  Technical  Physical Access control techniques can have six categories: Preventive, Deterrent, Detective, Corrective, Recovery, Compensating
    48. 48. Access Controls Types Administrative Policy, procedures, standards  e.g. Password policies, pre-employment checks, securityawareness Technical  Hardware or software for IT security  Authentication, encryption, firewalls, anti-virus Physical  Controls that you typically see  Key card entry, fencing, video surveillance, locks, guard dogs, gates, guards, alarms, badges
    49. 49. Access Control CategoriesThe access controls can be used in six categories: Preventive – Avoids an incident from happening Deterrent – Discourages a potential attacker Detective – Alerts and aids in identification after the fact Corrective – Repairs damage and restore systems after an event Recovery – Restores normal operations Compensating – Contains weaknesses in other systems
    50. 50. Access Control Categories Preventive controlsIntended to avoid an incident from happeninge.g. Firewalls, Anti-virus software, Fence, Policies, Pre-employment, screening
    51. 51. Access Control Categories Deterrent controls Intended to discourage a potential attackerHighly Visible  e.g. Guards, guard dogs, electric fence sign Detective controls Alerts and aids in identification after the fact  e.g. Video surveillance, audit logs, IDS motion detector
    52. 52. Access Control CategoriesCorrective controls Fixes components or systems after an incident has occurred Post-event controls to prevent recurrence Can be preventive, detective, deterrent, administrativ e e.g. Termination, Reassignment, Reboot, Restart, Fi re Extinguisher, Antivirus
    53. 53. Access Control CategoriesRecovery controls  Intended to bring controls back to regular operations e.g. Hot-site, backups, incident response planCompensating controls Additional security control put in place to compensate for weaknesses in others e.g. Daily monitoring of anti-virus console, Monthly review of administrative logins, Web Application Firewall used to protect buggy application
    54. 54. Access Control Types & Categories
    55. 55. Access Control Types & Categories
    56. 56. Access Control Principles1. Least Privilege2. Separation of Duties3. Implicit Deny4. Job Rotation5. Layered Security6. Diversity of Defense7. Security Through Obscurity8. Keep it Simple
    57. 57. Access Control PrinciplesLeast Privilege A subject (user, application, or process) should have only the necessary rights and privileges to perform its task with no additional permissions By limiting an objects privilege, we limit the amount of harm that can be caused  For example, a person should not be logged in as an administrator— they should be logged in with a regular user account, and change their context to do administrative duties
    58. 58. Access Control PrinciplesSeparation of Duties For any given task, more than one individual needs to be involved Applicable to physical environments as well as network and host security No single individual can abuse the system Important tasks include: • Financial transactions • Software changes • User account creation / changes Potential drawback is the cost • Time – Tasks take longer • Money – Must pay two people instead of one
    59. 59. Access Control PrinciplesImplicit Deny If a particular situation is not covered by any of the rules, then access can not be granted Any individual without proper authorization cannot be granted access The alternative to implicit deny is to allow access unless a specific rule forbids it
    60. 60. Access Control PrinciplesJob Rotation The rotation of individuals through different tasks and duties in the organizations IT department The individuals gain a better perspective of all the elements of how the various parts of the IT department can help or hinder the organization Prevents a single point of failure, where only one employee knows mission critical job tasks
    61. 61. Access Control Principles Diversity of Defense  This concept complements the layered security approach  Diversity of defense involves making different layers of security dissimilar  Even if attackers know how to get through a system that compromises one layer; they may not know how to get through the next layer that employs a different system of security
    62. 62. Access Control Principles Keep it SimpleThe simple security rule is the practice of keeping security processes and tools is simple and elegant Security processes and tools should be simple to use, simple to administer, and easy to troubleshoot A system should only run the services that it needs to provide and no more
    63. 63. Access Control Threats & CountermeasuresAttack CountermeasurePort ScanningApplication Vulnerability ScanningDenial Of Service (DOS or DDOS)Man in the Middle Attacks(Sniffing & TCP Hijacking)Virus, Worm, Trojan, Logic BombPassword Attacks(Guessing, Dictionary, Brute Force)Social Engineering(Spoofing, Phishing)Physical Attacks
    64. 64. Access Control Assessment Penetration Testing Performed by an authorized white hat hacker to determine whether a black hat hacker can do the sameHacker can have:  Zero knowledge “blind” – has public information only  Full knowledge – has internal information, e.g. network  diagrams, policies, procedures, reports from previous testers  Partial knowledge – has limited trusted information Vulnerability Testing  Scans network or system for list of predefined vulnerabilities  Examples of automatic tools: Nessus, MBSS, Retina, ISS  Security Audit  Organization is tested against a published standard  e.g. Payment Card Industry (PCI) compliant
    65. 65. Extra reading
    66. 66. KERBEROS KerberosIn Greek mythology, a many headed dog, the guardian of the entrance of Hades Henric Johnson 66
    67. 67. KERBEROS Kerberos• Problem statement: – Users wish to access services on distributed servers. – Servers wish to restrict access to authorized users and authenticate requests for service.• Three threats exist: – User pretend to be another user. – User alter the network address of a workstation. – User eavesdrop on exchanges and use a replay attack. Henric Johnson 67
    68. 68. What is is Kerberos? What KERBEROS ?• A key distribution and users authentication service developed at MIT – Provides a centralized authentication server to authenticate users to servers and servers to users. – Relies on conventional encryption, making no use of public-key encryption• Two versions: version 4 and 5• Version 4 makes use of DES Henric Johnson 68
    69. 69. Kerberos Requirements Kerberos Requirements• Its first report identified requirements as: – secure – reliable – transparent – scalable• Implemented using an authentication protocol based on Needham-Schroeder
    70. 70. Kerberos v4 Overview - Overviewa basic third-party authentication schemehave an Authentication Server (AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket TGT)have a Ticket Granting server (TGS) users subsequently request access to other services from TGS on basis of users TGTusing a complex protocol using DES
    71. 71. Kerberos Version–4related terms Kerberos v4 – related terms• Terms: – C = Client – AS = authentication server – V = server – IDc = identifier of user on C – IDv = identifier of V – Pc = password of user on C – ADc = network address of C – Kv = secret encryption key shared by AS an V – TS = timestamp – || = concatenation Henric Johnson 71
    72. 72. A simple authentication dialogue(1) C  AS: IDc || Pc || IDv(2) AS  C: Ticket(3) C  V: IDc || TicketTicket = EKv[IDc || Pc || IDv] Henric Johnson 72
    73. 73. Version 4 Authentication DialogueVersion 4 Authentication Dialogue• Problems: – Lifetime associated with the ticket-granting ticket – If to short  repeatedly asked for password – If to long  greater opportunity to replay• The threat is that an opponent will steal the ticket and use it before it expires Henric Johnson 73
    74. 74. Version 4 Authentication Dialogue Version 4 Authentication DialogueAuthentication Service Exhange: To obtain Ticket-Granting Ticket(1) C  AS: IDc || IDtgs ||TS1(2) AS  C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]Ticket-Granting Service Echange: To obtain Service-Granting Ticket(3) C  TGS: IDv ||Tickettgs ||Authenticatorc(4) TGS  C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]Client/Server Authentication Exhange: To Obtain Service(5) C  V: Ticketv || Authenticatorc(6) V  C: EKc,v[TS5 +1] Henric Johnson 74
    75. 75. Kerberos v4 ––detailed Dialogue Kerberos v4 detailed Dialogue
    76. 76. Kerberos operation Kerberos operation Henric Johnson 76
    77. 77. Kerberos Realms Kerberos Realms• A Kerberos environment consists of: – a Kerberos server – a number of clients, all registered with server – application servers, sharing keys with server• this is termed a realm – typically a single administrative domain• if have multiple realms, their Kerberos servers must share keys and trust
    78. 78. Request for Service in Another Realm
    79. 79. Main Differences Between Version 4 and 5• Kerberos V5 was developed in mid 1990’s• Specified as Internet standard RFC 1510• Provides improvements over v4, in terms of: – Encryption system dependence (V.4 DES) – Internet protocol dependence – Message byte ordering – Ticket lifetime – Authentication forwarding – Inter-realm authentication Henric Johnson 79
    80. 80. Kerberos-in practice Kerberos in practiceCurrently have two Kerberos versions:• 4 : restricted to a single realm• 5 : allows inter-realm authentication, in beta test• Kerberos v5 is an Internet standard• specified in RFC1510, and used by many utilitiesTo use Kerberos:• need to have a KDC on your network• need to have Kerberised applications running on all participating systems• major problem - US export restrictions• Kerberos cannot be directly distributed outside the US in source format (& binary versions must obscure crypto routine entry points and have no encryption)• else crypto libraries must be reimplemented locally Henric Johnson 80