security assessment of authentication and authorization
play

Security Assessment of Authentication and Authorization Mechanisms - PowerPoint PPT Presentation

Apr 16, 2023 •100 likes •467 views

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum, Hyperledger Fabric and Corda Marie-Jeanne Lagarde, Master's thesis 2018-2019 Agenda Introduction Motivation 1. Scope 2. Research Questions 3.

  1. Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum, Hyperledger Fabric and Corda Marie-Jeanne Lagarde, Master's thesis 2018-2019

  2. Agenda Introduction Motivation 1. Scope 2. Research Questions 3. Methodology Roadmap 1. Analysis framework 2. Hypothesis 3. Platform Security Assessment Experiments 4. Threat model 5. Ethereum 1. Quorum 2. Hyperledger Fabric 3. Corda Discussion 4. Conclusion � 2

  3. Introduction Motivation 1. Scope 2. Research Questions 3. Methodology Roadmap 1. Analysis framework 2. Hypothesis 3. Platform Security Assessment Experiments 4. Threat model 5. Ethereum 1. Quorum 2. Hyperledger Fabric 3. Corda Discussion 4. Conclusion � 3

  4. Motivation Blockchain Attackers Industry � 4

  5. Scope: definition of the subject “Security of main blockchain technologies” 4 platforms Area of interest Ethereum Authentication: verifying the proclaimed identity Quorum Hyperledger Fabric Authorization: verifying the access rights Corda � 5

  6. Research Questions How are the mechanisms designed and implemented? RQ1 What are the vulnerabilities? RQ2 How can we harden the systems? RQ3 � 6

  7. Introduction Motivation 1. Scope 2. Research Questions 3. Methodology Roadmap 1. Analysis framework 2. Hypothesis 3. Platform Security Assessment Experiments 4. Threat model 5. Ethereum 1. Quorum 2. Hyperledger Fabric 3. Corda Discussion 4. Conclusion � 7

  8. Roadmap Implementation: Deployments & Experiments Design Analysis Contributions: Security Assessment & Hardening Guidelines � 8

  9. Analysis Framework Implementation: Deployments & Experiments 1) Network permissioning 2) Transaction 3) Remote user (off-site location access) Design Analysis Contributions: Security Assessment & Hardening Guidelines � 9

  10. Hypothesis for deployment H1 Most deployed platform versions are the most likely to be targeted by attackers H2 Users tend to adapt their systems from existing official sample scripts Ethereum Quorum Hyperledger Fabric Corda Hyperledger Fabric v1.3.0 Corda Example Dapp v3.3 Geth Client v1.8.23 Quorum 2.2.1 using 7nodes using Deploy your first network demo with Tessera tutorial � 10

  11. Experiments: a Total of 18 Experiments Conducted Implementation: Deployments & Experiments Role of the experiments: ● Assess behaviour ● Test uncertain behaviours ● Assess the popularity of known attacks Design Analysis Contributions: Security ● Demonstrate possible vulnerabilities Assessment & Hardening Guidelines � 11

  12. Threat model definition 1) Authentication threats: Implementation: Deployments ● Brute force / dictionary attack & Experiments ● Password sniffing attack ● Key compromise attack ● Replay attack ● MITM / Session hijacking ● Source non-repudiation ● DDoS and DoS 2) Authorization threats: ● Elevation of privileges ● Exploitation of access granting vulnerabilities Design Analysis Contributions: Security Assessment & Hardening Guidelines 3) Security single points of failure 4) Default parameters vulnerabilities � 12

  13. Introduction Motivation 1. Scope 2. Research Questions 3. Methodology Roadmap 1. Analysis framework 2. Hypothesis 3. Platform Security Assessment Experiments 4. Threat model 5. Ethereum 1. Quorum 2. Hyperledger Fabric 3. Corda Discussion 4. Conclusion � 13

  14. Ethereum: Authentication and Authorization Mechanisms Authenticated channel for node communication key-based Transaction sender authentication key-based General remote user authentication non-existing Account owner remote authentication passphrase-based Remote user authorization Depends on which modules are enabled � 14

  15. Experiment: RPC honeypot Gather information about the motives and tactics of attackers Goals Setup • Deploy a node with all RPC • Default account unlock duration modules enable listening to all 300s incoming port . • Measure the likelihood of an • Capture the traffic during one attack occuring within this and a half hour using lapse of time Wireshark. � 15

  16. Experiments: RPC honeypot results 10849 packets observed from 13 different ● attackers The largest interval between two attempts is 20 ● seconds Dictionary attack ● Main purpose is financial benefits ● Packet captured with Wireshark � 16

  17. Authentication Vulnerabilities Node authenticated Remote account owner Communication authentication Man-in-the-Middle and Passphrase brute force Session Hijacking and dictionary attacks RLPx handshake is RPC is stateless ● ● considered to be broken: aes-secret and mac-secret are reused for both reading Passphrase sniffing and writing RPC is plain text ● Isolate a node from the Isolate a node from the Funds stealing Funds stealing DDoS and DoS Man-in-the-Middle network network No authentication ● ✓ Session Hijacking If account default unlock ● duration is different from 0 By default, APIs disabled Key compromise: Elliptical curve secp256k1 vulnerable to Pollards rho speed up attacks (Hartwig Mayer research [1] , only successful on 109 bit long keys) � 17

  18. Quorum : Authentication and Authorization Mechanisms of Ethereum Permissioned Platform Key-based and optionally certificate-based if TLS CA Node authentication Transaction sender authentication key-based Transaction receiver authorization ACL General remote user authentication non-existing Account owner remote authentication passphrase-based Remote user authorization Depends on which modules are enabled TLS can be enabled in the modes: CA, Trust on First use (TOFU), whitelist � 18

  19. Experiments : permissioning & honeypot Triggers inconsistent behaviour 1) Different permissioning files TLS Mode None CA TOFU & TOFU Whitelist CA Dynamic Yes Yes Yes Yes No addition of 2) Dynamicity of addition/revocation a node Dynamic Yes Yes via Yes via No No revocation CRL CRL of a node 3) Honeypot for espionage No attacker is detected � 19

  20. Authentication Vulnerabilities: many similarities with Ethereum Node authentication Remote account owner Block communication via authentication HTTP If TLS disabled : Man-in- Passphrase brute force If TLS disabled: Man-in-the- the-Middle and and dictionary attacks Middle, replay attack, Session Hijacking RPC is stateless source non-repudiation, ● By default, TLS disabled By default, RPC enabled By default, TLS disabled RLPx handshake is ● DDoS and DoS Passphrase sniffing considered to be broken. Espionage/Sabotage Espionage/Sabotage Espionage/Sabotage Espionage/Sabotage Espionage/Sabotage Espionage/Sabotage RPC is plain text ● If mutual TLS disabled: Man-in-the-Middle DDoS and DoS Session Hijacking Key compromise: Elliptical curve secp256k1 vulnerable to Pollards rho speed up attacks (Hartwig If account default unlock ● duration is different from 0 Mayer research [1] , only successful on 109 bit long keys) � 20

  21. Vulnerabilities Exploitation of Access Granting and Single points of failure Elevation of Privileges Revoking Vulnerabilities ● TLS TOFU and Whitelist Module-enabling attacks ● Root CA is used for TLS ● modes do support node and Identity revocation Transaction access ● using RPC ● Different permissioning files Additional vulnerability: TOFU mode prevents a node from changing a compromised key pair. � 21

  22. Hyperledger Fabric : Authentication and Authorization Mechanisms Certificate-based Message sender authentication Node role granting ABAC Transaction sender authorization ACL Hyperledger Fabric offers a module called Fabric CA which handles certificate issuing. � 22

  23. Experiment A malicious majority can New prevent an organization Org from being noticed of a change in the configuration 1) Majority vote Org3 removal (but Org3 is not noticed that it has been removed) 2) Majority vote New Org Addition 3) Majority vote Org3 Addition (but Org3 is not noticed that it has been re-added) � 23

  24. Authentication Vulnerabilities Message sender Message sender authentication in Fabric CA authentication If client authentication is disabled: brute force and dictionary attacks, DDoS and DoS Sabotage (inoperative Malicious registrations If mutual TLS is disabled: network) DDoS and DoS If TLS disabled: sniffing, replay, MITM and session hijacking By default, TLS disabled attacks By default, mutual TLS disabled � 24

  25. Vulnerabilities Exploitation of Access Granting and Single points of failure Elevation of Privileges Revoking Vulnerabilities Single node orderer Lack of smart contract No support to revoke ● ● TLS certificates sandboxing causing Single root CA: if possible elevation of ● No expiration of ● same root CA is used privileges (Nettitude, identity certificate for TLS and MSP Security Assessment identities report [2] ) � 25

  26. Corda: Authentication and Authorization Mechanisms Message sender authentication Certificate-based Node role granting ABAC Transaction sender authorization Depends on notaries nodes General remote user authentication Password-based Remote user authorization Capability list � 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof.

http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof.

http://xkcd.com/932/ Homework 2 Review CS 166: Information Security Authorization: Part 1 Prof. Tom Austin San Jos State University Authentication vs Authorization Authentication Are you who you say you are? Restrictions on who

1.14k views • 79 slides
Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance Synchronization Robustness Lecture 13 CS 111 Page 1 Summer 2013 Authorization and Authentication Authorization is determined if someone

886 views • 41 slides
CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web Data Engineering Access Control Mechanisms Declarative Authorization using Realms The expression of app security external to the app

540 views • 26 slides
Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel September 2019 Our Focus Today ? Authenticate Key patterns for authentication & Authorize and

510 views • 38 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

336 views • 30 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication & Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Users and security Authentication Making sure a user is who they say they are ...on

Users and security Authentication Making sure a user is who they say they are ...on

Users and security Authentication Making sure a user is who they say they are ...on every request! Authorization Making sure a user can only get to information they are supposed to see Making sure a user can only perform

801 views • 30 slides
EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos Nicolas Liampotis - GRNET WP3 Meeting - 2017.03.24 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union

352 views • 14 slides
Full Year Results for the year ending 31 March 2017 12 May 2017 Agenda FY17 Highlights

Full Year Results for the year ending 31 March 2017 12 May 2017 Agenda FY17 Highlights

Full Year Results for the year ending 31 March 2017 12 May 2017 Agenda FY17 Highlights FY17 Financial Results Operational performance Financial performance Cash position and distributions Strategy and Market Outlook

449 views • 22 slides
Annual Results Presentation For the twelve months ended 31 Dec 2015 25 February 2016 AGENDA

Annual Results Presentation For the twelve months ended 31 Dec 2015 25 February 2016 AGENDA

SCALES CORPORATION LIMITED YOUR DIVERSIFIED AGRIBUSINESS PORTFOLIO Annual Results Presentation For the twelve months ended 31 Dec 2015 25 February 2016 AGENDA Summary Highlights Financial Performance Divisional Overview

589 views • 35 slides
150 th Annual General Meeting 22 November 2018 2018 AGM | Investment Portfolio 31 July 2018 Cash

150 th Annual General Meeting 22 November 2018 2018 AGM | Investment Portfolio 31 July 2018 Cash

150 th Annual General Meeting 22 November 2018 2018 AGM | Investment Portfolio 31 July 2018 Cash $4m Other Strategic Equity Investments 2018 Property ($ mil) Surf Hardware International 16.0 $30m Boundary Bend 14.8 Carlton Investments

434 views • 18 slides
Piloting Common Performance Assessments to Maximize Teacher and Student Learning December 10,

Piloting Common Performance Assessments to Maximize Teacher and Student Learning December 10,

Piloting Common Performance Assessments to Maximize Teacher and Student Learning December 10, 2013 1 Introductions Presenters : Christina Brown, CCE Senior Director for Instruction and Assessment Michael Brownstein, QPA Senior Associate

561 views • 53 slides
Implementing Berkheimer : Shifting the Examination Burden at the USPTO In the Supreme Courts

Implementing Berkheimer : Shifting the Examination Burden at the USPTO In the Supreme Courts

Implementing Berkheimer : Shifting the Examination Burden at the USPTO In the Supreme Courts 2014 decision in Alice Corp. v. CLS Bank Intl, the Supreme Court cemented a two-step framework for determining whether a patent claim is ineligible

292 views • 10 slides
Company Presentation Q1 2020 Fu Full Ye Year 2 2019 R Results ts Pr Presenta tati tion

Company Presentation Q1 2020 Fu Full Ye Year 2 2019 R Results ts Pr Presenta tati tion

Company Presentation Q1 2020 Fu Full Ye Year 2 2019 R Results ts Pr Presenta tati tion 28 28 Februa uary 2020 2020 1. Introduction to VGP Th The Contin inental l European pure-pl play logistics real-es estate e group n Fully

605 views • 38 slides
TADPOLE GARDEN VILLAGE COMMUNITY INTEREST COMPANY ANNUAL MEMBERS MEETING 13 TH JUNE 2019 Agenda

TADPOLE GARDEN VILLAGE COMMUNITY INTEREST COMPANY ANNUAL MEMBERS MEETING 13 TH JUNE 2019 Agenda

TADPOLE GARDEN VILLAGE COMMUNITY INTEREST COMPANY ANNUAL MEMBERS MEETING 13 TH JUNE 2019 Agenda 1. Welcome and Introduction 2. TGV Landscaping Maintenance & TGVCIC Asset Update 3. TGVCIC/Preims Role TADPOLE 4. TGVCIC Service Charge Fees

447 views • 32 slides
Loungers plc Interim results for the 24 weeks ended 6 October 2019 DECEMBER 2019 H1 FY20

Loungers plc Interim results for the 24 weeks ended 6 October 2019 DECEMBER 2019 H1 FY20

Loungers plc Interim results for the 24 weeks ended 6 October 2019 DECEMBER 2019 H1 FY20 Highlights LFL Sales growth +5.4%, overall sales +22%, adjusted EBITDA +26% Three year track record of sector leading performance maintained in H1

321 views • 29 slides

More recommend