E-DHCP

1
DHCP AUTHENTICATION USING CERTIFICATES
Done by : AHMAD TAWEEL
2017 - 2018

• INTRODUCTION
• DHCP
• BASIC DHCP OPERATIONS
• IMPORTANCE OF DHCP
• DHCP SECURITY
• DHCP EXISTING CONTRIBUTIONS
• E-DHCP
• OVERVIEW
• Principles
• Requirements
• Architecture
• Authentication
• E-DHCP SCENARIO
• SERVICE ACCESS SCENARIO
• E-DHCP ADVANTAGES
• CONCLUSION 2
Outline

1 . INTRODUCTION
• DHCP is a client/server protocol that automatically provides a
host with its IP address and other configuration information.
• Dynamic IP attribution protocol is necessary for 2 reasons:
• The lack of internet addresses .
• The mobility of the equipment is adapted to
dynamic addressing .
• DHCP provides a framework for passing configuration
information to hosts on a TCP/IP network .
• DHCP currently provides no authentication or security
mechanisms .
3

Dynamic Host Configuration Protocol
4

BASIC DHCP OPERATIONS
• Use Client-Server model
• Client initiates all interactions, and server replies
• Client Broadcasts DHCPDiscover message
• Servers may returns DHCPOffer messages with selection of
configuration parameters .
• Client chooses one DHCPOffer and broadcasts a DHCPRequest
message .
• Server Return DHCPAck or DHCFNAck message (if the address is or
isn't available) .
• Client can decline or release address
6

IMPORTANCE OF DHCP
• No manual reconfiguration is required
• Reduced amount of work required for large network
administration by eliminating the need to individually assign,
configure, and manage an IP address for every machine.
• Administration can be done from a single point
8

DHCP SHORTCOMING
• Lack of intelligence
• Limited Security
• Lack of robust administrative source (unable to associate
username with the address).
10

DHCP VULNERABILITIES
No authentication
Intruders can impersonate the identity of a client
or DHCP server .
Unknown hosts can get an IP addresses
11

EXISTING CONTRIBUTIONS
• Authentication via Kerberos.
• Token Authentication .
• Delayed Authentication ( symmetric key
and hash ) .
13

Extended Dynamic Host Configuration Protocol
14

Overview
E-DHCP is an extension to DHCP that
provides :
• Stronger authentication process
• Authentication of entities and messages
• Access control authentication
16

E-DHCP principals
• "E-DHCP authentication" option
• Attribute Authority server functionalities attribution which
creates the client Attribute Certificate that ensure the link
between Client identity certificate and allocated IP address.
17

E-DHCP requirements
• Client and Server must have a valid X.509 identity certificate
delivered by a trusted CA
18

E-DHCP architecture
E-DHCP Client , E-DCHP Server , Attribute Certificates Database , Identity Certificate Database
19

E-DHCP authentication Option
20

E-DHCP Scenario (1/9)
• The client broadcast a
DHCPDiscover message .
• This message must include options
such as:
• Network address and lease time
suggestion
• E-DHCP authentication option
22

 To validate the Client authentication, the E-DHCP server:
 Extract the client X.509 IC from the URIldentityCertificate field .
 Extract the client public key from the 1.509 IC .
 Verify the value of Flag field .
 If Flag = 0 , the server use the client public key to verify the
validity of the signature(contained in Authentication Information).
 IF Flag =1, the server use its private key to decrypt the
signature, then use the client public key to verify its validity .
23

The server may choose to accept
unauthorized DHCPDiscover
message or not .
The Server responds with a
DHCPOffer message including
E-DHCP authentication option .
24

To validate the Server authentication, the Client:
Extract the server X.509 IC from the URIldentityCertificate
field .
Extract the server public key from the X.509 IC .
Verify the value of Flag field .
If Flag = 0 , the client use the server public key to verify
the validity of the signature (contained in
Authenticationlnformation) .
IF Flag =1, the client use its private key to decrypt the
signature, then use the server public key to verify its
validity .
25

 If authentication is not valid
or the offer is not acceptable,
the client can discard it .
 Else a DHCPRequest is sent to
the server:
 Requesting offered parameters
 Confirming the correctness of
previously allocated address
 Extending the lease time
26

Same procedure followed in
DHCPDiscover message is used
to specify E-DHCP
Authentication option .
URlAttributeCertificate field may
contains a value .
27

The E-DHCP server validate the authentication of the client &
DHCPRequest message.
If the validation failed or the server can't satisfy the client
request, a DHCPNAck message is sent.
Else, the server verifies URIAttributeCertificate field value;
If value = 0 , server create an AC for the client and save it in AC
database.
Else, the server extract the certificate and checks its validity, to
renew it or create a new one.
28

The E-DHCP server sends a
DHCPAck message to the client
(including a E-DHCP
authentication option) .
The URIAttributeCertificate field
contains the client new (or
renewed) AC .
29

The client receive the DHCPAck message and
validate the authentication of the server and the
message .
If validated, The client extract configuration
information from the message and use them .
The client uses its attribute certificate .
30

Service access scenario (1/3)
• Allocate to the equipment an AC containing the Internet address
dynamically allocated.
• This certificate ensures the relation between the client identity
certificate and the allocated IP address.
• Every equipment can prove its address by presenting its
identification certificate and the AC to the access control .
32

33

Steps :
1. The client establish a connection with the Access using the IP address
allocated by the E-DHCP Server .
2. The client and the Access Control Server use SSL client authentication
and SSL server authentication to confirm each others identity .
3. The client presents his attributes certificate to the Access Control Server.
4. The Access Control Server verifies:
• Identity certificate (Validity period, certification chain, etc.)
• AC (Validity period, allocated IP, authorized service, etc.)
• Validity of link between the X509 identity certificate and the AC.
• Validity of link between the identity of the client and the IP address.
5. If the verification is successful, the Access Control Server allows the client
to be connected to the authorized service.
34

E-DHCP ADVANTAGES (1/2)
• Provides authentication of entities (client/server)
and the authentication of DHCP messages. Mainly by
using asymmetric keys encryption, X.509 IC and AC .
• Usage of RSA ( better security than symmetric
encryption ) .
36

E-DHCP ADVANTAGES (2/2)
• Invulnerable to denial of service attack
through flooding with unauthenticated
DHCPDiscover messages.
• Invulnerable to message interception.
• AC confirms the client IP address
ownership. 37

CONCLUSION
E-DHCP is an extension to DHCP protocol.
E-DHCP uses asymmetric keys encryption RSA,
X.509 IC and AC to authenticate entities (c/s)
and DHCP messages.
In E-DHCP, DHCP server asks on an Attribute
Authority server to create a client AC, which
ensures the relation between the client identity
certificate and the allocated IP address. This AC
is used in the access control.
E-DHCP is modification to the open source code
base of DHCP, then by the development of an
attribute authority, to which the DHCP server is
attached.
39

E-DHCP

More Related Content

What's hot

Similar to E-DHCP

More from Ahmad El Tawil

Recently uploaded

E-DHCP