aaa
play

AAA 1 Authentication uthentication : who is actually the person - PowerPoint PPT Presentation

Jul 19, 2023 •594 likes •1.32k views

AAA 1 Authentication uthentication : who is actually the person (computer) we are talking to Authorization uthorization : does the person (computer) we are talking to have the necessary privileges to the source / use of service / ...

  1. AAA 1

  2.  Authentication uthentication : who is actually the person (computer) we are talking to  Authorization uthorization : does the person (computer) we are talking to have the necessary privileges to the source / use of service / ...  Accoounting ccoounting : who has at any time used a source/service/... 2

  3.  authentication: what is it, how can it be implemented, protocols  authorization: how can it be implemented  recording: system recording  protocol for AAA  Literature: C. Kaufman, R. Perlman, M. Speciner. Network Security – Private Communication in a Public World. Prentice Hall. 3

  4.  trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,tru st,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,t rust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trus t,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,tr ust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust ,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,tru st,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust trust, trust, , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust... 4

  5.  two sides (Ana and Borut) are communicating and they must believe that they are actually talking to each other  establishing identities at the beginning  maintaining identity throughout the conversation  how can we believe that the other side is in fact the correct side  a side can be a person or service / program  Ana needs to know:  something about Borut, with which she can recognize Borut  that „something“ must only be known to Ana 5

  6.  Borut tells Ana his password  possible attacks:  tapping (stealing inside transfer)  breaking into the system (stealing saved passwords)  guessing passwords  defences:  using safe cryptographic connections  system / password security  limiting the number of trys for password guessing  additional defence  Ana sends Borut a challenge which he must be able to solve 6

  7.  passwords are being stored in all places where they are needed  huge vulnerability, the problem of changing  passwords are stored in one place and used by all users  protection of transferring a copied to user we have a special node that provides service for checking password  special protocol 7

  8.  We additionaly protect stored passwords with cryptographic protection  we don’t store passwords in their original form, instead we use safeguarded unidirectional hash function f  authentication: Borut calculates f(password) -> g 1. Borut sends g 2. Ana keeps in database g and not the password. She 3. only checks its presence g in database (this is the correct translation) 8

  9.  By guessing: we limit the number of attempts  automaton occupies the card;  password is valid for a limited amount of attempts  Limiting how long the password is valid:  The S/KEY One-Time Password System, RFC1760  A One-Time Password System, RFC2289  req required: f uired: find it on the int ind it on the interne ernet and read about it – lit t and read about it – literature! erature!  challenge: writ challenge: write y e your o our own pr wn program f ogram for S/K or S/Key or in y or invent y ent your O our OTP TP. . 9

  10.  Stealing passwords  stolen blind text – change the password  Stolen mappings  On the internet there are databases/services, which sistematicly calculate password mappings  possible defense– we salten the password  challenge: ho challenge: how t w to per o performe salt orme saltening? ening? 10

  11.  (IP) address represents a password or a part of it  We trust only certain computers  Loging is possible only from those computers  We trust those computers, that they finished appropriate authentication (file hosts.equiv, )  Only those computers are allowed to authenticate  req required: C uired: Consider ho onsider how t w to address the authentication o address the authentication at at ssh? ssh? 11

  12.  key distribution centre  Broker forms a key (password) for every new connection  Short-lived keys  certification authority  Broker provides authorized passwords  Long-lived certificates, must have option to cancel it  Hierarchy of intermediaries 12

  13.  Using passwords  Authentication utility  Using biometric characteristics  Two other options require additional hardware (which we have to trust) 13

  14.  Password must not be simple: length, number of characters, which sings , ..  admin/admin, 1234, unique master citizen number  Password must not be too complicated  NaWUwra66nu5UHA NaWUwra66nu5UHAd d   challenge: Find a s challenge: Find a syst stem em that generat that generates saf es safe passw e passwor ords. ds.  We change passwords systematicly  What if we forget a password? 14

  15.  cards  Only holders of informations (magnetic recording, optical recording, ...)  Smart cards  They contain a computer that protects information , we need a password to access the computer...  Use of challenge  Cryptographic computers  They form a time-depended passwords 15

  16.  Replacable password  lack of portability  routine, fingerprint, face identificatio, iris, voice, . 16

  17.  directly  Loging to a computer console  Remote access: telnet (TELNET Protocol, RFC 139), ssh (Does RFC exist for ssh?)  challenge: f challenge: find o ind other RFC documents about t ther RFC documents about telne elnet. .  ad hoc form  Using protocols 17

  18.  PPP in PAP: Password authentication protocol  CHAP: Challenge-handshake authentication protocol (MS-CHAP)  EAP: Extensible Authentication Protocol 18

  19.  The Point-to-Point Protocol (PPP), RFC 1661  challenge: f hallenge: find and read RFC ind and read RFC.  It is replacing data-link layer  Authentication required at the beginning of sessions 19

  20. +----------+-------------+---------+ protocol:  | Protocol | Information | Padding | 0001 Padding Protocol  | 8/16 bits| * | * | 0003 to 001f reserved (transparency  inefficient) +----------+-------------+---------+ 007d reserved (Control Escape)  00cf reserved (PPP NLPID)  00ff reserved (compression  inefficient) 8001 to 801f unused  807d unused  80cf unused  80ff unused  c021 Link Control Protocol  c023 P c023 Passw asswor ord A d Authentication uthentication  Pr Protocol ocol c025 Link Quality Report  c223 Challenge Handshak c223 Challenge Handshake e  Authentication Pr uthentication Protocol ocol 20

  21.  Password transfer in cleantext  Last option, if all other fail (and if we are still willing to do it) 21

  22.  PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994  req required: f uired: find this pr ind this protocol on the int ocol on the interne ernet and read it – t and read it – lit literature erature!  Prepared for PPP use (poin to point protocol)  Challenge-based design that Ana sends to Borut  Transmission protocol in principle is not defined (see PPP) 22

  23. Three-step protocol:  Ana sends a challenge 1. Borut combines the challenge with a password 2. and sends it back encrypted with a one-way hash function Ana verifies the if the answer is correct 3.  Steps in PPP protocol can be repeated for unlimited number of times  Challenge is sent in a readable form  password must be stored on both sides  because the challenge is changing, it is difficult to attack with repeating 23

  24.  ppp protocol has its own control protocol LCP  it can set various properties and also the type of a hash function  challenge: where and ho hallenge: where and how can w w can we se e set it? t it? 24

  25. 0 1 2 3 • Code – message code: 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Challenge, 2 Response, 3 | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... Success, 4 Failure +-+-+-+-+ • Identifier – connection between protocol steps 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PROTOCOLS ETI 2506 Telecommunication Systems Monday, 7 November 2016 TELECOMMUNICATION

PROTOCOLS ETI 2506 Telecommunication Systems Monday, 7 November 2016 TELECOMMUNICATION

POINT TO POINT DATALINK PROTOCOLS ETI 2506 Telecommunication Systems Monday, 7 November 2016 TELECOMMUNICATION SYLLABUS Principles of Telecom (IP Telephony and IP TV) - Key Issues to remember PPP Frame and Phases Password Authentication

825 views • 15 slides
Outline Outline Overview of Windows Security Issues Overview of Windows Security Issues

Outline Outline Overview of Windows Security Issues Overview of Windows Security Issues

Outline Outline Overview of Windows Security Issues Overview of Windows Security Issues Windows Protocol Protocol Analysis: Analysis: Windows Various Protocols and Problems Various Protocols and Problems MSCHAP &

411 views • 6 slides
$#<7#9 #>88>"#9 8#>">"=# =

$#<7#9 #>88>"#9 8#>">"=# =

12/3/2010 78#9:; . 78:8;<7<=>?

497 views • 17 slides
2020 First Quarter Earnings Conference Call R FORWARD-LOOKING STATEMENT This presentation

2020 First Quarter Earnings Conference Call R FORWARD-LOOKING STATEMENT This presentation

2020 First Quarter Earnings Conference Call R FORWARD-LOOKING STATEMENT This presentation contains statements that may be considered forward-looking statements. Such statements contain the word expect, anticipates or words of similar

616 views • 36 slides
PPP The point-to-point protocol 2005/03/11 (C) Herbert Haas PPP versus SLIP PPP Where

PPP The point-to-point protocol 2005/03/11 (C) Herbert Haas PPP versus SLIP PPP Where

PPP The point-to-point protocol 2005/03/11 (C) Herbert Haas PPP versus SLIP PPP Where is PPP used What is the task of LCP What is the task of NCP SLIP Serial Line IP Predecessor of PPP We don't even think of it

519 views • 10 slides
VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private

VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private

VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private network that encompasses links across shared or public networks like the Internet. Enable to send data between two computers across a shared or

942 views • 19 slides
the Diameter Protocol Ahana Mallik Department of Informatics University of Zurich May 26,

the Diameter Protocol Ahana Mallik Department of Informatics University of Zurich May 26,

AAA Support by the RADIUS and the Diameter Protocol Ahana Mallik Department of Informatics University of Zurich May 26, 2016 Overview 1. Authentication, Authorization and Accounting (AAA). 2. AAA Services, Protocols and Architecture. 3.

1.7k views • 40 slides
Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel Ricardo Faculdade de Engenharia da

Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel Ricardo Faculdade de Engenharia da

WNP-MPR-Sec 1 Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel Ricardo Faculdade de Engenharia da Universidade do Porto WNP-MPR-Sec 2 Topics Scheduled for Today Authentication and access control Security basic

775 views • 49 slides
Gursharan Singh Tatla 27-Mar-2011 Data Link Layer in Internet We know that Internet consists

Gursharan Singh Tatla 27-Mar-2011 Data Link Layer in Internet We know that Internet consists

Gursharan Singh Tatla 27-Mar-2011 Data Link Layer in Internet We know that Internet consists of individual systems that are connected to each other. SLIP and PPP Basically, it is wide are network that is built up from point-to-point

412 views • 4 slides
Authentication and Secure Communication Jeff Chase Duke University technology people Where

Authentication and Secure Communication Jeff Chase Duke University technology people Where

Authentication and Secure Communication Jeff Chase Duke University technology people Where are the boundaries of the system that you would like to secure? Where is the weakest link? What happens when the weakest link fails? The First

1.19k views • 60 slides
SSH, SSL, and IPsec: wtf? Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla SSH, SSL, and

SSH, SSL, and IPsec: wtf? Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla SSH, SSL, and

SSH, SSL, and IPsec: wtf? Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla SSH, SSL, and IPsec 1 What are we trying to accomplish? Alice, Bob want to talk to each other But theyre worried about attack How do you know

1k views • 56 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Messaging Layer Security The Beginning Richard Barnes , Benjamin Beurdouche, Karthik Bhargavan,

Messaging Layer Security The Beginning Richard Barnes , Benjamin Beurdouche, Karthik Bhargavan,

Messaging Layer Security The Beginning Richard Barnes , Benjamin Beurdouche, Karthik Bhargavan, Katriel Cohn-Gordon, Cas Cremers, Jon Millican, Emad Omara, Eric Rescorla, Raphael Robert RWC 2019, San Jose, CA YOUR NAME / LOGO HERE Objectives

673 views • 33 slides
Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g ,

handshake 1 Security Handshake Pitfalls Slide 1 Login with Shared Secret: Variant 1 B: R , A: K f R g , where K fg can be hash AB authentication not mutual connection hijacking off-line password attack compromise of database

424 views • 16 slides
EAP-TLS Smartcards, from Dream to Reality Pascal Urien, Mohamed Badra, Mesmin Dandjinou 4th

EAP-TLS Smartcards, from Dream to Reality Pascal Urien, Mohamed Badra, Mesmin Dandjinou 4th

EAP-TLS Smartcards, from Dream to Reality Pascal Urien, Mohamed Badra, Mesmin Dandjinou 4th Workshop on Applications and Services in Wireless Networks Boston University Massachusetts, USA August 9th, 2004 1 Pascal URIEN, Boston University,

219 views • 19 slides
Computer Communication Networks Network Security ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1

Computer Communication Networks Network Security ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1

Computer Communication Networks Network Security ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1 Network Security Goals: understand principles of network security: cryptography and its many uses beyond confidentiality

587 views • 57 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples Countermeasures against DoS Crypto Puzzles Stateless Protocols Avoid IP address spoofing / identifying malicious nodes Ingress filtering

937 views • 72 slides
Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

991 views • 56 slides
The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs Bluetooth Security and Cooperation in Wireless Networks Georg-August University Gttingen Security in Wireless Networks Wireless networks are

519 views • 48 slides
I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche, Kashyap Thimmaraju , Liron Schiff and Stefan Schmid IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1 Outline 1. Motivation 2. Covert

999 views • 95 slides
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C.

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C.

CS259: Security Analysis of Network Protocols, Winter 2008 Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic Todays Plan First half The meaning, importance and technique of

729 views • 24 slides
Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly Again, by what you know The system asks the user to provide some information If its provided correctly, the user is authenticated

233 views • 20 slides

More recommend