CSE543 - Introduction to Computer and Network Security Module: - - PowerPoint PPT Presentation

฀฀฀฀ ฀

• ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

CSE543 - Introduction to Computer and Network Security Page

CSE543 - Introduction to Computer and Network Security Module: Authentication

Professor Patrick McDaniel Fall 2008

1

CSE543 - Introduction to Computer and Network Security Page

Meet Alice and Bob ….

• Alice and Bob are the canonical players in the

cryptographic world.

• They represent the end points of some interaction
• Used to illustrate/define a security protocol
• Other players occasionally join …
• Trent - trusted third party
• Mallory - malicious entity
• Eve - eavesdropper
• Ivan - an issuer (of some object)

2

CSE543 - Introduction to Computer and Network Security Page

Some notation …

• You will generally see protocols defined in terms of

exchanges containing some notation like

• All players are identified by their first initial
• E.g., Alice=A, Bob=B
• d is some data
• pwA is the password for A
• kAB is a symmetric key known to A and B
• KA+,KA- is a public/private key pair for entity A
• E(k,d) is encryption of data d with key k
• H(d) is the hash of data d
• Sig(KA-,d) is the signature (using A’s private key) of data d
• “+” is used to refer to concatenation

3

CSE543 - Introduction to Computer and Network Security Page

Some interesting things

• … when communicating.
• Ensure the authenticity of a user
• Ensure the integrity of the data
• Also called data authenticity
• Keep data confidential
• Guarantee non-repudation

4

CSE543 - Introduction to Computer and Network Security Page

Basic (User) Authentication

Alice Bob

• Bob wants to authenticate Alice’s identity
• (is who she says she is)

[pwA]

1

[Y/N]

2

5

CSE543 - Introduction to Computer and Network Security Page

Hash User Authentication

Alice Bob

• Bob wants to authenticate Alice’s identity
• (is who she says she is)

[h(pwA)]

1

[Y/N]

2

6

CSE543 - Introduction to Computer and Network Security Page

Challenge/Response User Authentication

Alice Bob

• Bob wants to authenticate Alice’s identity
• (is who she says she is)

[h(c+pwA)]

2 1

[c] [Y/N]

3

7

CSE543 - Introduction to Computer and Network Security Page

User Authentication vs. Data Integrity

• User authentication proves a property about the

communicating parties

• E.g., I know a password
• Data integrity ensures that the data transmitted...
• Can be verified to be from an authenticated user
• Can be verified to determine whether it has been modified
• Now, lets talk about the latter, data integrity

8

CSE543 - Introduction to Computer and Network Security Page

Simple Data Integrity?

Alice Bob

• Alice wants to ensure any modification of the data in

flight is detectable by Bob (integrity)

[d,h(d)]

1

9

CSE543 - Introduction to Computer and Network Security Page

HMAC Integrity

Alice Bob

• Alice wants to ensure any modification of the data in

flight is detectable by Bob (integrity)

[d,hmac(k,d)]

1

10

CSE543 - Introduction to Computer and Network Security Page

Signature Integrity

Alice Bob

• Alice wants to ensure any modification of the data in

flight is detectable by Bob (integrity)

[d, Sig(KA-, d)]

1

11

CSE543 - Introduction to Computer and Network Security Page

Data Integrity vs. Non-repudiation

• If the integrity of the data is preserved, is it provably

from that source?

• Hash integrity says what about non-repudiation?
• Signature integrity says what about non-repudiation?

12

CSE543 - Introduction to Computer and Network Security Page

Confidentiality

Alice Bob

• Alice wants to ensure that the data is not exposed to

anyone except the intended recipient (confidentiality)

[E(kAB,d), hmac(kAB, d)]

1

13

CSE543 - Introduction to Computer and Network Security Page

Question

• If I already have an authenticated channel (e.g., the

remote party’s public key), why don’t I simply make up a key and send it to them?

14

CSE543 - Introduction to Computer and Network Security Page

• Alice wants to ensure that the data is not exposed to

anyone except the intended recipient (confidentiality)

• But, Alice and Bob have never met!!!!
• Alice randomly selects key kx to encrypt with

Confidentiality

Alice Bob

[E(kx,d), hmac(kx, d),E(KB+,kx)]

1

15

CSE543 - Introduction to Computer and Network Security Page

Real Systems Security

• The reality of the security is that 90% of the frequently

used protocols use some variant of these constructs.

• So, get to know them … they are your friends
• We will see them (and a few more) over the semester
• They also apply to systems construction
• Protocols need not necessarily be online
• Think about how you would use these constructs to secure

files on a disk drive (integrity, authenticity, confidentiality)

• We will add some other tools, but these are the basics

16

CSE543 - Introduction to Computer and Network Security Page

Kerberos

• History: from UNIX to Networks (late 80s)
• Solves: password eavesdropping
• Online authentication
• Variant of Needham-Schroeder protocol
• Easy application integration API
• First single sign-on system (SSO)
• Genesis: rsh, rcp
• authentication via assertion
• Most widely used (non-web) centralized password system in

existence (and lately only ..)

• Now: part of Windows 2K/XP/Vista network authentication
• Old Windows authentication was a cruel joke.

17

CSE543 - Introduction to Computer and Network Security Page

An aside …

• Authentication
• Assessing identity of users
• By using credentials …
• Authorization
• Determining if users have the right to perform requested

action (e.g., write a file, query a database, etc.)

• Kerberos authenticates users, but does not perform

any authorization functions …

• … beyond identify user as part of Realm
• Typically done by application.
• Q: Do you use any “Kerberized” programs?
• How do you know?

18

CSE543 - Introduction to Computer and Network Security Page

The setup …

• The players
• Principal - person being authenticated
• Service (verifier) - entity requiring authentication (e.g, AFS)
• Key Distribution Center (KDC)
• Trusted third party for key distribution
• Each principal and service has a Kerberos password known to

KDC, which is munged to make a password ke, e.g., kA

• Ticket granting server
• Server granting transient authentication
• The objectives

19

CSE543 - Introduction to Computer and Network Security Page

The protocol

• A two-phase process
• 1. User authentication/obtain session key (and ticket granting

ticket) key from Key Distribution Center

• 2. Authenticate Service/obtain session key for communication

with service

• Setup
• Every user and service get certified and assigns password

20

CSE543 - Introduction to Computer and Network Security Page

Ticket (KAB)

“Locked” by KA

A Kerberos Ticket

• A kerberos ticket is a token that …
• Alice is the only on that can open it
• Contains a session key for Alice/Bob (KAB)
• Contains inside it a token that can only be opened by Bob
• Bob’s Ticket contains
• Alice’s identity
• The session key (KAB)
• Q: What if issuing service is not trusted?

(KAB) Ticket

“Locked” by KB

21

CSE543 - Introduction to Computer and Network Security Page

The protocol (obtaining a TGT)

• Timeexp - time of expiration
• n - nonce (random, one-use value: e.g., timestamp)

Alice KDC [A,TGS,Timeexp,n]

1

E(kA,[kA,TGS,TGS,Timeexp,n]),E(KTGS,[A, kA,TGS, Timeexp],)

2

TGT

22

CSE543 - Introduction to Computer and Network Security Page

The protocol (performing authentication)

Alice Bob

[B,Timeexp,n,E(kA,TGS,[B,Timeexp,n])], E(KTGS,[A,kA,TGS,Timeexp])]

1

E(kA,TGS,[kA,B,B,Timeexp,n]), E(kB,[A,kA,B,Timeexp])]

2

TGS

3

E(kA,B,[A,Timeexp,n]), E(kB,[A,kA,B,Timeexp])]

23

Authenticator

CSE543 - Introduction to Computer and Network Security Page

Cross-Realm Kerberos

• Extend philosophy to more servers
• Obtain ticket from TGS for foreign Realm
• Supply to TGS of foreign Realm
• Rinse and repeat as necessary
• “There is no problem so hard in computer science that

it cannot be solved by another layer of indirection.”

• David Wheeler, Cambridge University (circa 1950)

Michigan Penn St. Ohio St. Purdue Pitt

24

CSE543 - Introduction to Computer and Network Security Page

Kerberos Reality

• V4 was supposed to be replaced by V5
• But wasn’t because interface was ugly, complicated, and encoding was

infuriating

• Assumes trusted path between user and Kerberos
• Widely used in UNIX domains
• Robust and stable implementation
• Problem: trust ain’t transitive, so not so good for large

collections of autonomous enterprises

25

CSE543 - Introduction to Computer and Network Security Page

Assignment #2

• A password protecting file processor.

26

CSE543 - Introduction to Computer and Network Security Page

Course Project

• The course project requires the student

execute some limited research in security.

• Demonstrate applied knowledge
• Don’t try to learn some new field
• Be realistic about what can be

accomplished in a single semester.

• However, the work should reflect real

thought and effort.

• The grade will be based on the following

factors: novelty, depth, correctness, clarity of presentation, and effort.

27

CSE543 - Introduction to Computer and Network Security Page

Deliverables

• The chief product of the project will be a conference style
• paper. There will be several milestones:
• Project Choice (9/18/08)
• Background and Related Work (10/9/08)
• Experiment Proposal (10/30/08)
• Project Status Slides (11/13/08)
• Final Project Write-up (12/19/08)
• Everyone will present to 12/12/08, describing the project,

progress, expected results and related work

• This is the most important factor in your grade (30%) so

you better take it seriously

• E.g., an exceptionally good project may help your grade

28

CSE543 - Introduction to Computer and Network Security Page

Project Choice

• Due on Sept 18, 5:00pm
• Order list of projects
• Choose three projects in order of interest
• Choose up to 3 collaborators
• Optional
• Get a sense of groupings
• I will choose your project and group (as needed)
• Hopefully, I can resolve the constraints implied
• One group per project
• A functional group

29

CSE543 - Introduction to Computer and Network Security Page

What is Authentication?

• Short answer: establishes identity
• Answers the question: To whom am I speaking?
• Long answer: evaluates the authenticity of

identity proving credentials

• Credential – is proof of identity
• Evaluation – process that assesses the correctness
• f the association between credential and claimed

identity

• for some purpose
• under some policy (what constitutes a good cred.?)

30

CSE543 - Introduction to Computer and Network Security Page

Why authentication?

• Well, we live in a world of rights, permissions, and

duties?

• Authentication establishes our identity so that we can
• btain the set of rights
• E.g., we establish our identity with Tiffany’s by providing

a valid credit card which gives us rights to purchase goods ~ physical authentication system

• Q: How does this relate to security?

31

CSE543 - Introduction to Computer and Network Security Page

Why authentication (cont.)?

• Same in online world, just different constraints
• Vendor/customer are not physically co-located, so we

must find other ways of providing identity

• e.g., by providing credit card number ~ electronic

authentication system

• Risks (for customer and vendor) are different
• Q: How so?
• Computer security is crucially dependent on the

proper design, management, and application of authentication systems.

32

CSE543 - Introduction to Computer and Network Security Page

What is Identity?

• That which gives you access … which is largely

determined by context

• We all have lots of identities
• Pseudo-identities
• Really, determined by who is evaluating credential
• Driver’s License, Passport, SSN prove …
• Credit cards prove …
• Signature proves …
• Password proves …
• Voice proves …
• Exercise: Give an example of bad mapping between

identity and the purpose for which it was used.

33

CSE543 - Introduction to Computer and Network Security Page

Credentials

• … are evidence used to prove identity
• Credentials can be
• Something I am
• Something I have
• Something I know

34

CSE543 - Introduction to Computer and Network Security Page

Something you know …

• Passport number, mothers maiden name, last 4 digits
• f your social security, credit card number
• Passwords and pass-phrases
• Note: passwords are generally pretty weak
• University of Michigan: 5% of passwords were goblue
• Passwords used in more than one place
• Not just because bad ones selected: If you can remember

it, then a computer can guess it

• Computers can often guess very quickly
• Easy to mount offline attacks
• Easy countermeasures for online attacks

35

CSE543 - Introduction to Computer and Network Security Page

Something your have …

• Tokens (transponders, …)
• Speedpass, EZ-pass
• Smartcards
• Digital Certificates (used by Websites to authenticate

themselves to customers)

• More on this later …

36

CSE543 - Introduction to Computer and Network Security Page

Something your are …

• Biometrics measure some physical characteristic
• Fingerprint, face recognition, retina scanners, voice,

signature, DNA

• Can be extremely accurate and fast
• Active biometrics authenticate
• Passive biometrics recognize
• What is the fundamental problem?
• Revocation – lost fingerprint?
• “fuzzy” credential, e.g., your face changes based on mood ...
• Great for physical security, generally not feasible for on-line

systems (why?)

37

CSE543 - Introduction to Computer and Network Security Page

Web Authentication

• Authentication is a bi-directional process
• Client
• Server
• Mutual authentication
• Several standard authentication tools
• Basic (client)
• Digest (client)
• Secure Socket Layer (server, mutual)
• Cookies (indirect, persistent)
• Q: Are cookies good credentials?

38

CSE543 - Introduction to Computer and Network Security Page

GET /protected/index.html HTTP/1.0 HTTP/1.0 401 Unauthorized WWW-Authenticate: Basic realm=“Private” GET /protected/index.html HTTP/1.0 Authorization: Basic JA87JKAs3NbBDs CLIENT CLIENT CLIENT

How Basic Authentication Works

39

CSE543 - Introduction to Computer and Network Security Page

Setting up Basic auth in Apache

• File in directory to protect (.htacess)

AuthType Basic AuthName Patrick’s directories (User ID=mcdaniel)" AuthUserFile /usr/mcdaniel/www-etc/.htpw1 AuthGroupFile /dev/null require valid-user

• In /usr/mcdaniel/www-etc/.htpw1

mcdaniel:l7FwWEqjyzmNo generated using htpasswd program

• Can use different .htaccess files for

different directories

40

CSE543 - Introduction to Computer and Network Security Page

• Passwords easy to intercept
• Passwords easy to guess
• Just base-64 encoded
• Passwords easy to share
• No server authentication
• Easy to fool client into sending password to

malicious server

• One intercepted password gives

eavesdropper access to many documents

41

Basic Authentication Problems

CSE543 - Introduction to Computer and Network Security Page

Basic Authentication Problems

• Passwords easy to intercept
• Passwords easy to guess
• Just base-64 encoded
• Passwords easy to share
• No server authentication
• Easy to fool client into sending password to malicious server
• One intercepted password gives eavesdropper access

to many documents

42

CSE543 - Introduction to Computer and Network Security Page

GET /protected/index.html HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm=“Private” nonce=“98bdc1f9f017..” GET /protected/index.html HTTP/1.1 Authorization: Digest username=“lstein” realm=“Private” nonce=“98bdc1f9f017..” response=“5ccc069c4..” CLIENT CLIENT CLIENT

43

Digest Authentication

CSE543 - Introduction to Computer and Network Security Page

• Challenge (“nonce”): any changing string
• e.g. MD5(IP address:timestamp:server secret)
• Response: challenge hashed with user’s name &

password

• MD5(MD5(name:realm:password):nonce:MD5(request))
• Server-specific implementation options
• One-time nonces
• Time-stamped nonces
• Method authentication digests

44

Challenge and Response

CSE543 - Introduction to Computer and Network Security Page

• Cleartext password never transmitted across network
• Cleartext password never stored on server
• Replay attacks difficult
• Intercepted response only valid for a single URL
• Shared disadvantages
• Vulnerable to man-in-the-middle attacks
• Document itself can be sniffed

45

Advantages of Digest over Basic

CSE543 - Introduction to Computer and Network Security Page

Password Attacks

• Use of passwords in, for example, Kerberos is

susceptible to offline cracking

• Process:
• User enters password for Kerberized client
• Request (w/o password) forwarded to KDC
• Response is encrypted in key derived from user’s passwd
• Client generates key from password for decryption
• Attack: If you know what the message should say, you

can guess and test passwords

• We ran this and recovered 35% of CSE passwds
• Can also spoof logins to recover passwds

46

CSE543 - Introduction to Computer and Network Security Page

A petard ...

• The rule of seven plus or minus two.
• George Miller observed in 1956 that

most humans can remember about 5-9 things more or less at once.

• Thus is a kind of maximal entropy that
• ne can hold in your head.
• This limits the complexity of the

passwords you can securely use, i.e., not write on a sheet of paper.

• A perfectly random 8-bit password has

less entropy than a 56-bit key.

• Implication?

47

CSE543 - Introduction to Computer and Network Security Page

A question?

• Is there going to come a day where all passwords are

useless?

• Suppose I can remember 16 bytes of entropy (possible?)
• Won’t there come a day when all passwords are useless?
• Moore’s law and its corollaries?

48

CSE543 - Introduction to Computer and Network Security Page

Answer: no

• Nope, you just need to make the process of checking

passwords more expensive. For example, you can repeat the salted hash many times ...

• Linear cost speedup?

49