CSE543 - Introduction to Computer and Network Security Module:...
Transcript of CSE543 - Introduction to Computer and Network Security Module:...
CSE543 - Introduction to Computer and Network Security Page
CSE543 - Introduction to Computer and Network Security
Module: Authentication
Professor Patrick McDanielFall 2008
1
CSE543 - Introduction to Computer and Network Security Page
Meet Alice and Bob ….• Alice and Bob are the canonical players in the
cryptographic world. ‣ They represent the end points of some interaction‣ Used to illustrate/define a security protocol
• Other players occasionally join …‣ Trent - trusted third party‣ Mallory - malicious entity‣ Eve - eavesdropper‣ Ivan - an issuer (of some object)
2
CSE543 - Introduction to Computer and Network Security Page
Some notation …• You will generally see protocols defined in terms of
exchanges containing some notation like‣ All players are identified by their first initial
• E.g., Alice=A, Bob=B
‣ d is some data ‣ pwA is the password for A
‣ kAB is a symmetric key known to A and B‣ KA+,KA- is a public/private key pair for entity A‣ E(k,d) is encryption of data d with key k‣ H(d) is the hash of data d‣ Sig(KA-,d) is the signature (using A’s private key) of data d‣ “+” is used to refer to concatenation
3
CSE543 - Introduction to Computer and Network Security Page
Some interesting things • … when communicating.‣ Ensure the authenticity of a user‣ Ensure the integrity of the data
• Also called data authenticity
‣ Keep data confidential‣ Guarantee non-repudation
4
CSE543 - Introduction to Computer and Network Security Page
Basic (User) Authentication
Alice Bob
• Bob wants to authenticate Alice’s identity‣ (is who she says she is)
[pwA]
1
[Y/N]
2
5
CSE543 - Introduction to Computer and Network Security Page
Hash User Authentication
Alice Bob
• Bob wants to authenticate Alice’s identity‣ (is who she says she is)
[h(pwA)]
1
[Y/N]
2
6
CSE543 - Introduction to Computer and Network Security Page
Challenge/Response User Authentication
Alice Bob
• Bob wants to authenticate Alice’s identity‣ (is who she says she is)
[h(c+pwA)]2
1
[c]
[Y/N]
3
7
CSE543 - Introduction to Computer and Network Security Page
User Authentication vs. Data Integrity
• User authentication proves a property about the communicating parties‣ E.g., I know a password
• Data integrity ensures that the data transmitted...‣ Can be verified to be from an authenticated user‣ Can be verified to determine whether it has been modified
• Now, lets talk about the latter, data integrity8
CSE543 - Introduction to Computer and Network Security Page
Simple Data Integrity?
Alice Bob
• Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity)
[d,h(d)]1
9
CSE543 - Introduction to Computer and Network Security Page
HMAC Integrity
Alice Bob
• Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity)
[d,hmac(k,d)]1
10
CSE543 - Introduction to Computer and Network Security Page
Signature Integrity
Alice Bob
• Alice wants to ensure any modification of the data in flight is detectable by Bob (integrity)
[d, Sig(KA-, d)]1
11
CSE543 - Introduction to Computer and Network Security Page
Data Integrity vs. Non-repudiation
• If the integrity of the data is preserved, is it provably from that source?‣ Hash integrity says what about non-repudiation?‣ Signature integrity says what about non-repudiation?
12
CSE543 - Introduction to Computer and Network Security Page
Confidentiality
Alice Bob
• Alice wants to ensure that the data is not exposed to anyone except the intended recipient (confidentiality)
[E(kAB,d), hmac(kAB, d)]1
13
CSE543 - Introduction to Computer and Network Security Page
Question• If I already have an authenticated channel (e.g., the
remote party’s public key), why don’t I simply make up a key and send it to them?
14
CSE543 - Introduction to Computer and Network Security Page
• Alice wants to ensure that the data is not exposed to anyone except the intended recipient (confidentiality)
• But, Alice and Bob have never met!!!!
• Alice randomly selects key kx to encrypt with
Confidentiality
Alice Bob
[E(kx,d), hmac(kx, d),E(KB+,kx)]1
15
CSE543 - Introduction to Computer and Network Security Page
Real Systems Security• The reality of the security is that 90% of the frequently
used protocols use some variant of these constructs.‣ So, get to know them … they are your friends‣ We will see them (and a few more) over the semester
• They also apply to systems construction‣ Protocols need not necessarily be online‣ Think about how you would use these constructs to secure
files on a disk drive (integrity, authenticity, confidentiality)‣ We will add some other tools, but these are the basics
16
CSE543 - Introduction to Computer and Network Security Page
Kerberos• History: from UNIX to Networks (late 80s)‣ Solves: password eavesdropping‣ Online authentication
• Variant of Needham-Schroeder protocol
‣ Easy application integration API‣ First single sign-on system (SSO)‣ Genesis: rsh, rcp
• authentication via assertion
• Most widely used (non-web) centralized password system in existence (and lately only ..)
• Now: part of Windows 2K/XP/Vista network authentication‣ Old Windows authentication was a cruel joke.
17
CSE543 - Introduction to Computer and Network Security Page
An aside …• Authentication‣ Assessing identity of users‣ By using credentials …
• Authorization‣ Determining if users have the right to perform requested
action (e.g., write a file, query a database, etc.)• Kerberos authenticates users, but does not perform
any authorization functions …‣ … beyond identify user as part of Realm‣ Typically done by application.
• Q: Do you use any “Kerberized” programs?‣ How do you know?
18
CSE543 - Introduction to Computer and Network Security Page
The setup …• The players‣ Principal - person being authenticated‣ Service (verifier) - entity requiring authentication (e.g, AFS)‣ Key Distribution Center (KDC)
• Trusted third party for key distribution• Each principal and service has a Kerberos password known to
KDC, which is munged to make a password ke, e.g., kA
‣ Ticket granting server• Server granting transient authentication
• The objectives
19
CSE543 - Introduction to Computer and Network Security Page
The protocol• A two-phase process
1. User authentication/obtain session key (and ticket granting ticket) key from Key Distribution Center
2. Authenticate Service/obtain session key for communication with service
• Setup‣ Every user and service get certified and assigns password
20
CSE543 - Introduction to Computer and Network Security Page
Ticket (KAB)
“Locked” by KA
A Kerberos Ticket• A kerberos ticket is a token that …‣ Alice is the only on that can open it‣ Contains a session key for Alice/Bob (KAB)‣ Contains inside it a token that can only be opened by Bob
• Bob’s Ticket contains‣ Alice’s identity‣ The session key (KAB)
• Q: What if issuing service is not trusted?
(KAB)Ticket
“Locked” by KB
21
CSE543 - Introduction to Computer and Network Security Page
The protocol (obtaining a TGT)
• Timeexp - time of expiration
• n - nonce (random, one-use value: e.g., timestamp)
Alice KDC
[A,TGS,Timeexp,n]1
E(kA,[kA,TGS,TGS,Timeexp,n]),E(KTGS,[A, kA,TGS, Timeexp],)
2
TGT
22
CSE543 - Introduction to Computer and Network Security Page
The protocol (performing authentication)
Alice
Bob
[B,Timeexp,n,E(kA,TGS,[B,Timeexp,n])], E(KTGS,[A,kA,TGS,Timeexp])]
1
E(kA,TGS,[kA,B,B,Timeexp,n]), E(kB,[A,kA,B,Timeexp])]
2TGS
3
E(kA,B,[A,Timeexp,n]),E(kB,[A,kA,B,Timeexp])]
23
Authenticator
CSE543 - Introduction to Computer and Network Security Page
Cross-Realm Kerberos• Extend philosophy to more servers‣ Obtain ticket from TGS for foreign Realm‣ Supply to TGS of foreign Realm‣ Rinse and repeat as necessary
• “There is no problem so hard in computer science that it cannot be solved by another layer of indirection.”‣ David Wheeler, Cambridge University (circa 1950)
Michigan Penn St.Ohio St.
Purdue Pitt
24
CSE543 - Introduction to Computer and Network Security Page
Kerberos Reality• V4 was supposed to be replaced by V5‣ But wasn’t because interface was ugly, complicated, and encoding was
infuriating
• Assumes trusted path between user and Kerberos• Widely used in UNIX domains• Robust and stable implementation
• Problem: trust ain’t transitive, so not so good for large collections of autonomous enterprises
25
CSE543 - Introduction to Computer and Network Security Page
Assignment #2• A password protecting file processor.
26
CSE543 - Introduction to Computer and Network Security Page
Course Project• The course project requires the student
execute some limited research in security.• Demonstrate applied knowledge• Don’t try to learn some new field• Be realistic about what can be
accomplished in a single semester.• However, the work should reflect real
thought and effort. • The grade will be based on the following
factors: novelty, depth, correctness, clarity of presentation, and effort.
27
CSE543 - Introduction to Computer and Network Security Page
Deliverables• The chief product of the project will be a conference style
paper. There will be several milestones:‣ Project Choice (9/18/08)
‣ Background and Related Work (10/9/08)
‣ Experiment Proposal (10/30/08)
‣ Project Status Slides (11/13/08)
‣ Final Project Write-up (12/19/08)
• Everyone will present to 12/12/08, describing the project, progress, expected results and related work
• This is the most important factor in your grade (30%) so you better take it seriously‣ E.g., an exceptionally good project may help your grade
28
CSE543 - Introduction to Computer and Network Security Page
Project Choice• Due on Sept 18, 5:00pm• Order list of projects‣ Choose three projects in order of interest
• Choose up to 3 collaborators‣ Optional‣ Get a sense of groupings
• I will choose your project and group (as needed)‣ Hopefully, I can resolve the constraints implied‣ One group per project‣ A functional group
29
CSE543 - Introduction to Computer and Network Security Page
What is Authentication?• Short answer: establishes identity‣ Answers the question: To whom am I speaking?
• Long answer: evaluates the authenticity of identity proving credentials ‣ Credential – is proof of identity‣ Evaluation – process that assesses the correctness
of the association between credential and claimed identity• for some purpose• under some policy (what constitutes a good cred.?)
30
CSE543 - Introduction to Computer and Network Security Page
Why authentication?• Well, we live in a world of rights, permissions, and
duties?‣ Authentication establishes our identity so that we can
obtain the set of rights‣ E.g., we establish our identity with Tiffany’s by providing
a valid credit card which gives us rights to purchase goods ~ physical authentication system
• Q: How does this relate to security?31
CSE543 - Introduction to Computer and Network Security Page
Why authentication (cont.)?• Same in online world, just different constraints‣ Vendor/customer are not physically co-located, so we
must find other ways of providing identity• e.g., by providing credit card number ~ electronic
authentication system‣ Risks (for customer and vendor) are different
• Q: How so?
• Computer security is crucially dependent on the proper design, management, and application of authentication systems.
32
CSE543 - Introduction to Computer and Network Security Page
What is Identity?• That which gives you access … which is largely
determined by context‣ We all have lots of identities‣ Pseudo-identities
• Really, determined by who is evaluating credential‣ Driver’s License, Passport, SSN prove …‣ Credit cards prove …‣ Signature proves …‣ Password proves …‣ Voice proves …
• Exercise: Give an example of bad mapping between identity and the purpose for which it was used.
33
CSE543 - Introduction to Computer and Network Security Page
Credentials• … are evidence used to prove identity• Credentials can be‣ Something I am ‣ Something I have‣ Something I know
34
CSE543 - Introduction to Computer and Network Security Page
Something you know …• Passport number, mothers maiden name, last 4 digits
of your social security, credit card number• Passwords and pass-phrases‣ Note: passwords are generally pretty weak
• University of Michigan: 5% of passwords were goblue• Passwords used in more than one place
‣ Not just because bad ones selected: If you can remember it, then a computer can guess it• Computers can often guess very quickly• Easy to mount offline attacks• Easy countermeasures for online attacks
35
CSE543 - Introduction to Computer and Network Security Page
Something your have …• Tokens (transponders, …)‣ Speedpass, EZ-pass
• Smartcards
• Digital Certificates (used by Websites to authenticate themselves to customers)‣ More on this later …
36
CSE543 - Introduction to Computer and Network Security Page
Something your are …• Biometrics measure some physical characteristic‣ Fingerprint, face recognition, retina scanners, voice,
signature, DNA‣ Can be extremely accurate and fast‣ Active biometrics authenticate‣ Passive biometrics recognize
• What is the fundamental problem?‣ Revocation – lost fingerprint?‣ “fuzzy” credential, e.g., your face changes based on mood ...‣ Great for physical security, generally not feasible for on-line
systems (why?)
37
CSE543 - Introduction to Computer and Network Security Page
Web Authentication• Authentication is a bi-directional process‣ Client‣ Server‣ Mutual authentication
• Several standard authentication tools‣ Basic (client)‣ Digest (client)‣ Secure Socket Layer (server, mutual)‣ Cookies (indirect, persistent)
• Q: Are cookies good credentials?38
CSE543 - Introduction to Computer and Network Security Page
GET /protected/index.html HTTP/1.0
HTTP/1.0 401 UnauthorizedWWW-Authenticate: Basic realm=“Private”
GET /protected/index.html HTTP/1.0Authorization: Basic JA87JKAs3NbBDs
CLIENT
CLIENT
CLIENT
How Basic Authentication Works
39
CSE543 - Introduction to Computer and Network Security Page
Setting up Basic auth in Apache
• File in directory to protect (.htacess)
AuthType Basic
AuthName Patrick’s directories (User ID=mcdaniel)"
AuthUserFile /usr/mcdaniel/www-etc/.htpw1
AuthGroupFile /dev/null
require valid-user
• In /usr/mcdaniel/www-etc/.htpw1 mcdaniel:l7FwWEqjyzmNo generated using htpasswd program• Can use different .htaccess files for
different directories40
CSE543 - Introduction to Computer and Network Security Page
• Passwords easy to intercept• Passwords easy to guess‣ Just base-64 encoded
• Passwords easy to share• No server authentication‣ Easy to fool client into sending password to
malicious server
• One intercepted password gives eavesdropper access to many documents
41
Basic Authentication Problems
CSE543 - Introduction to Computer and Network Security Page
Basic Authentication Problems • Passwords easy to intercept• Passwords easy to guess‣ Just base-64 encoded
• Passwords easy to share• No server authentication‣ Easy to fool client into sending password to malicious server
• One intercepted password gives eavesdropper access to many documents
42
CSE543 - Introduction to Computer and Network Security Page
GET /protected/index.html HTTP/1.1
HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest
realm=“Private” nonce=“98bdc1f9f017..”
GET /protected/index.html HTTP/1.1Authorization: Digest
username=“lstein” realm=“Private” nonce=“98bdc1f9f017..” response=“5ccc069c4..”
CLIENT
CLIENT
CLIENT
43
Digest Authentication
CSE543 - Introduction to Computer and Network Security Page
• Challenge (“nonce”): any changing string‣ e.g. MD5(IP address:timestamp:server secret)
• Response: challenge hashed with user’s name & password‣ MD5(MD5(name:realm:password):nonce:MD5(request))
• Server-specific implementation options‣One-time nonces‣ Time-stamped nonces‣Method authentication digests
44
Challenge and Response
CSE543 - Introduction to Computer and Network Security Page
• Cleartext password never transmitted across network• Cleartext password never stored on server• Replay attacks difficult• Intercepted response only valid for a single URL• Shared disadvantages‣ Vulnerable to man-in-the-middle attacks‣ Document itself can be sniffed
45
Advantages of Digest over Basic
CSE543 - Introduction to Computer and Network Security Page
Password Attacks• Use of passwords in, for example, Kerberos is
susceptible to offline cracking• Process:‣ User enters password for Kerberized client‣ Request (w/o password) forwarded to KDC‣ Response is encrypted in key derived from user’s passwd‣ Client generates key from password for decryption
• Attack: If you know what the message should say, you can guess and test passwords
• We ran this and recovered 35% of CSE passwds• Can also spoof logins to recover passwds
46
CSE543 - Introduction to Computer and Network Security Page
A petard ...• The rule of seven plus or minus two.‣ George Miller observed in 1956 that
most humans can remember about 5-9 things more or less at once.
‣ Thus is a kind of maximal entropy that one can hold in your head.
‣ This limits the complexity of the passwords you can securely use, i.e., not write on a sheet of paper.
‣ A perfectly random 8-bit password has less entropy than a 56-bit key.
• Implication?47
CSE543 - Introduction to Computer and Network Security Page
A question?• Is there going to come a day where all passwords are
useless?‣ Suppose I can remember 16 bytes of entropy (possible?)‣ Won’t there come a day when all passwords are useless?
• Moore’s law and its corollaries?
48
CSE543 - Introduction to Computer and Network Security Page
Answer: no• Nope, you just need to make the process of checking
passwords more expensive. For example, you can repeat the salted hash many times ...‣ Linear cost speedup?
49