Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
CS 138 VIII–1 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
CS 138: Security II
CS 138 VIII–2 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Today
• Secure key distribution • Authorization
CS 138 VIII–3 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Authentication with Shared Secret
A
RB
KAB(RB)
RA
KAB(RA)
Alice Bob
CS 138 VIII–4 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Shortcut
A, RA
RB, KAB(RA)
KAB(RB)
Bob Alice
CS 138 VIII–5 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Trickery: Reflection Attack
A, RM RB, KAB(RM)
KAB(RB)
Mallory Bob
A, RB RB2, KAB(RB)
CS 138 VIII–6 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Fixing the replay
A, RA
KAB(RB,RA)
KAB(RB-1)
Bob Alice
CS 138 VIII–7 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Problem: n2 key pairs!
• Alternatives – Share keys with a key distribution service – Public-key cryptography
CS 138 VIII–8 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Kerberos
• Developed at MIT in the 80’s • Uses a Key Distribution Service (KDC)
– Based on Needham-Shroeder key exchange • Our description based on the “play”:
“Designing an Authentication System: a Dialogue in Four Scenes”
http://web.mit.edu/kerberos/dialogue.html
CS 138 VIII–9 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Kerberos alpha 0
A, password, mail
Kmail(A)
A, Kmail(A)
KDC
Alice Mail
CS 138 VIII–10 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Kerberos alpha 1
A, mail
KA(mail, Kmail(A))
A, Kmail(A)
KDC
Alice Mail
CS 138 VIII–11 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Avoiding Replays
A, mail
KA(mail, Kmail(A, exp))
A, Kmail(A, exp)
KDC
Alice Mail
CS 138 VIII–12 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Avoiding Replays
A, mail
KA(KAM), Kmail(A, KAM, exp))
KAM(A), Kmail(A, KAM, exp)
KDC
Alice Mail
CS 138 VIII–13 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Avoiding Replays
A, mail
KA(KAM), Kmail(A, KAM, exp))
KAM(A, ts), Kmail(A, KAM, exp)
KDC
Alice Mail
CS 138 VIII–14 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Ticket granting service
A, TGS
KA(KAT), KTGS(A,KAT,exp)
KDC
Alice Mail
TGS KAT(A,ts1), mail, KTGS(A,KAT,exp)
KAT(KAM), Kmail(A, KAM, exp))
KAM(A, ts2), Kmail(A, KAM, exp)
CS 138 VIII–15 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Authenticating the server
A, TGS
KA(KAT), KTGS(A,KAT,exp)
KDC
Alice Mail
TGS KAT(A,ts1), mail, KTGS(A,KAT,exp)
KAT(KAM), Kmail(A, KAM, exp))
KAM(A, ts2), Kmail(A, KAM, exp)
KAM(ts2+1)
CS 138 VIII–16 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Cross-Realm Authentication
Realm X Realm Y
Client Application Server
Authentication Server
Kerberos Key-Distribution
Server
Ticket- Granting Server
Authentication Server
Kerberos Key-Distribution
Server
Ticket- Granting Server
CS 138 VIII–17 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Transitive Trust
Realm A
Client
Realm B
Client
Realm Z
Client
Application Server
CS 138 VIII–18 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Hierarchical Trust /…
acme.com osf.org college.edu
west_coast east_coast
manufac R&D
RI
gr
CS admin
CS 138 VIII–19 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Getting Authorized
Send me a copy of a journal
Are you a paid member?
CS 138 VIII–20 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Getting Authorized
CS 138 VIII–21 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Getting Authorized
I’m a Brown student.
Prove it.
CS 138 VIII–22 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Getting Authorized
My IP address starts 128.148.
Good enough for me.
CS 138 VIII–23 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Hacks ’R’ Us
Getting Authorized
CS 138 VIII–24 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Hacks ’R’ Us
Getting Authorized
I need a hack for 138.
Prove you are a 138 student.
CS 138 VIII–25 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Hacks ’R’ Us
Enter Shibboleth
CS 138 VIII–26 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Using Shibboleth
• Student – logs in to Brown, gets credentials
• Hacks ’r’ Us – responds to client requests with an
authentication request - indicates what it requires (e.g., CS138
student status) • Identity provider
– contacted by student’s browser – given student’s credentials, returns desired
student attributes (CS 138 student)
CS 138 VIII–27 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Shibboleth
• Separates the federation from the authentication
– Individual IdP’s can do what they want – Federation makes it more scalable
CS 138 VIII–28 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Diffie-Hellman Key Exchange • Different model of the world: How to generate keys between
two people, securely, no trusted party, even if someone is listening in.
• This is cool. But: Vulnerable to man-in-the-middle attack. Attacker pair-wise negotiates keys with each of A and B and decrypts traffic in the middle. No authentication...
image from wikipedia
CS 138 VIII–29 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Authorization
• Is the requestor permitted to perform the requested operation?
• Does this require knowledge of who the requestor is?
CS 138 VIII–30 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
An analogy
• Alice wants a safe deposit box in a bank • Two options:
– Bank maintains a list of who can access the box
– Bank gives Alice a key (or a combination) • What are the pros and cons?
CS 138 VIII–31 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
ACL-Based Authorization
Authenticated Client Service
Reference Monitor
CS 138 VIII–32 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Capability-Based Authentication
Anonymous Client Service capability
CS 138 VIII–33 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Making ACLs Work
• Client provides credentials – privilege attribute certificate (PAC)
- certificate listing client’s credentials • e.g., user name, groups, etc.
• Client requests a particular operation • Server’s reference monitor looks up
credentials and request in ACL – returns permit/deny decision
CS 138 VIII–34 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Privilege Server
• Extend Kerberos into Privilege Server – maintains user and group database – prepares PACs
- includes them in ticket - application-server ticket informs server of
all of client’s credentials
CS 138 VIII–35 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Impersonation
Authenticated Client Service
Reference Monitor
Print Server
Service Reference Monitor
File Server
… allow twd w
… allow twd r
CS 138 VIII–36 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Impersonation using Privilege Server
• Client requests print-server ticket from privilege server
– asks it to mark PAC “permit impersonation” • Client sends ticket to print server • Print server requests file-server ticket from
privilege server – includes client’s print-server ticket – privilege server provides file-server ticket
containing original client’s PAC - print server impersonates client
CS 138 VIII–37 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Impersonation Problems
Authenticated Client Service
Reference Monitor
Print Server
Service Reference Monitor
File Server
Service Reference Monitor
Cash Server
CS 138 VIII–38 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Delegation
Authenticated Client Service
Reference Monitor
Print Server
Service Reference Monitor
File Server
Service Reference Monitor
Cash Server
allow twd_delegates rw allow twd rw
CS 138 VIII–39 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
How It’s Done
• Client requests print-server ticket with delegation permitted
– privilege server constructs ticket with client’s PAC so marked
• Client presents ticket to print server • Print server requests delegated file-server
ticket from privilege server – privilege server returns ticket with both
original client’s and print-server’s PACs • Print server presents ticket to file server
– file server checks delegate entries in ACL
CS 138 VIII–40 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Capabilities
• A capability is both a reference and an access right to a particular resource
CS 138 VIII–41 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
ACLs vs. C-Lists
Rob’s Process
Chris’s Process
File X
Rob: rw Chris: r
File Y
Rob: r Chris: rw
Rob’s Process
Chris’s Process
rw r
r rw
ACL
ACL
C-List
C-List
CS 138 VIII–42 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
More General View
• Subjects and resources are objects (in the OO sense)
Object A
read
Object B
append
Object C
CS 138 VIII–43 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Copying Capabilities (1)
Object A
write cap
Object B
read
Object C
CS 138 VIII–44 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Copying Capabilities (2)
Object A
write cap
Object B
read read
Object C
CS 138 VIII–45 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
“Directories”
Object A
read cap
Directory
read Object
X write
Object Y
append
Object Z
Object B
read cap
CS 138 VIII–46 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Least Privilege (1)
Login Process
read cap
Directory
read Public Data
write
System File
read
Credit Card Info
Suspect Code
write cap
CS 138 VIII–47 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Least Privilege (2)
Login Process
read cap
Directory
read Public Data
write
System File
read
Credit Card Info
Suspect Code
read
write cap
CS 138 VIII–48 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
An analogy
ACL (List) Capability (Key) Authentication Bank must check list Bank not involved Forging access Bank must secure list Can’t be forged Adding a new person Owner visits bank Copy key Delegation Friend can’t delegate Friend can give key Revocation Owner can remove
ex Harder
• Sharing online album – Authorize specific users – Share by secret URL
CS 138 VIII–49 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
ACLs vs. Capabilities
• ACLs – Authentication
- Reference monitor involved – specifying access rights
- easy – least privilege
- hard – delegation
- Awkward – Revocation
- easy
• Capabilities – Authentication
- No one involved – specifying access rights
- awkward – least privilege
- easy – delegation
- Easy – Revocation
- hard
CS 138 VIII–50 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Capabilities in Amoeba
server port object rights check 48 bits 24 bits 8 bits 48 bits
Object reference Copy kept on server
CS 138 VIII–51 Copyright © 2012 Thomas W. Doeppner, Rodrigo Fonseca. All rights reserved.
Generating Restricted Capabilities
server port object 11111111 C
Xor
One-way Function
00000001 new rights
server port object 00000001 f(C⊕00000001)