Week3 lecture

Week3-Lecture: Access Control Chapter Covered: 3,4,8,11,22

CIT 515-Network and Internet SecurityDr. May El Barachi

Reading and Quiz Materials

• Chapter3 : Pages 53-56• Chapter4: Pages 66-76• Chpater8: Pages 199-203• Chapter11: Pages 264-280• Chapter22:Pages 577-581

Objectives Access Control Authentication Methods

Password, Token, Biometric Single Sign On vs. Password Synchronization Kerberos, Sesame

Access Control Models DAC, MAC, RMAC

Access Control Administration Centralized, Decentralized

Access Control Types Technical, Physical, Administrative

5. Access Control Categories Deterrent, Preventive, …. Access Control Principles Access Control Attacks & Countermeasures Access Control Assessment

Objectives Authentication: Who goes there?

Determine whether access is allowedVerify the identity of a subjectAuthenticate human to machineAuthenticate machine to machine

Authorization: Are you allowed to do that?Once you have access, what can you do?Enforces limits on actions

Authentication Methods

To verify their identity, users can provide:Something you know

Username and PasswordBirthday, Address, Passport Number

Something you haveSmart CardTokenATM Card

Something you are Biometrics

Where you are? IP GPS

Two Factor Authentication (Strong Authentication)

Combine two factors for authentication users

Password-Based AuthenticationHow is the password communicated?

Eavesdropping (to listen to someone's private conversation without them knowing) risk

How is the password stored? In the clear? Encrypted? Hashed?

How does the system check the password? Compute hash and compare to stored hash

How can we make the hashed passwords harder to guess? Use SALT

Some Comic

Password-Based Authentication How easy is it to identify the password? Electronic Monitoring (i.e. Network Sniffing) Keystroke loggers (HW & SW) Access the password file Password Guessing

Dictionary attacks Brute Force attacks Rainbow Tables

Social Engineering Phishing, Pharming, Vishing Shoulder Surfing Piggy Backing Dumpster Diving

Reverse Social Engineering

Password-Based Authentication – HW KeyLogger

Password-Based Authentication - Phishing

Password-Based Authentication

Password ControlsPassword length and compositionPassword agingPassword historyPassword attemptsPassword storageOne time passwordsUser educationLast successful login attempt

Password-Based Authentication - Hashing

LM hash is weak, no longer used in Win 7NT hash is stronger, but not salted

Token-Based Authentication

More secure than passwords, howeverTokens may suffer from battery failureCards may get damaged

Types of tokens:Synchronous – based on timeAsynchronous – based on challenge/response


Synchronous Tokens

Algorithm

Time Seeds

Algorithm

Time Seeds

Same seeds

Same time

Time Synchronized Authentication

Internet

RSA or Firewall with RSA ACE Agent

RSA ACE Server


Asynchronous Tokens

1.Send Response to Authen Server

2. Challenge Displayed on CRT

3.User enters pin into token

4. User resends response from token

5.User enters responses from token into computer

6.Responses sent to Authen server

7. Authentication Server Validates Client

Tokens Products - RSA

RSA Two-Factor Authentication Hacked – Mar 2011

RSA Two-Factor Authentication Hacked – Mar 2011

RSA Admits & Replaces 40 Million Tokens – 6/6/11

Tokens Products - Gemalto

Biometric-Based Authentication Face recognition

Error rates up to 20%, given reasonable variations in lighting, viewpoint and expression

Fingerprints Traditional method for identification Distinguish between 30-40 details about peaks,

valleys, and ridges of user’s fingerprint 1911: first US conviction on fingerprint evidence U.K. traditionally requires 16-point match Probability of false match is 1 in 10 billion Fingerprint damage impairs recognition

Forging Fingerprints Using Molding

Forging Fingerprints Using Surgical Operations

Forging Fingerprints Using Actual Fingers

Biometric-Based Authentication Iris scanning

Takes a picture of the iris (colored part of eye) Irises are very random, but stable through life Differs between the two eyes of the individual Equal error rate better than 1 in a million Works with contact lenses and glasses Best biometric mechanism currently known

Retina pattern Laser scans of blood vessels in the back of the eye Retina can change due to medical conditions Identifies user’s health (privacy issues?)

Hand geometry Identify the user by his fingers and hand

Voice recognition

Biometric-Based Authentication

False Rejection Rate (FRR)When the system rejects an authorized individual

False Acceptance Rate (FAR) When the system accepts an intruder who should

be rejectedCrossover Error Rate (CER)

Metric used to compare biometric systems Whenfalse rejection rate equalsfalse acceptance rate

Single Sign On Single Sign On

A user authenticates once and then access resources in the environment without having to re-authenticate into each.

The user authenticates once to the SSO application. Anytime the user accesses a new application, the SSO application will send the necessary authentication information

Can be difficult to integrate among different applications and platforms

Reduced Single Sign On (Password Synchronization)

Password SynchronizationLike single sign-on (SSO), single credential for many systemsBut no inter-system session managementUser must log into each system separately, but they all use

the same username and passwordWill the user choose a complex password?

Weakness of SSO and RSSO Intruder can access all systems if password is compromisedBest is to combine with two factor authentication

SSO Summary

Trusted authentication service on the networkKnows all passwords: users and serversTime SensitiveConvenient ☺Single point of failure Requires high level of physical security

SSO SummaryKnows all users’ and servers’ passwords

Ticket is used to access desired network service

User gets ticket

User proves his identity;requests ticket for some service

User

Servers

SOS Server

SSO: Kerberos Network Authentication Protocol

Developed by MIT Consists of 3 components: Client Server Key Distribution Center (KDC)

Authentication Server (AS) Ticket Granting Server (TGS)

Process: Client obtains service ticket from KDC and present the tickets toservers when connections are established Cryptography Kerberos uses symmetric key encryption (DES)

SSO: Kerberos StepsUser Ahmed

Ticket Granting Ticket (TGT):User Name + User Address + Validity+ Session Key

Session Key

Key-User

servicesTGT

TGT-Key

user

Ticket:User Name + User Address + Validity + Session Key

Key-Service

Key-Session Key

User +Key-User

UserKey-User +Session Key+ (TGT)

Kerberos Authentication Service

KerberosTicket Granting Service

Key-TGS

SSO: Kerberos Steps

User +Key-User +Session Key+ (TGT)

Servers

Tickets

ConfirmationKey Session Key

Key-Service

SSO: SesameAnother SSO option is Sesame:Secure European System and Applications in a

Multivendor EnvironmentKerberos uses symmetric encryption only

Sesame uses symmetric and asymmetric encryption

Objectives Authentication: Who goes there?

Determine whether access is allowedVerify the identity of a subjectAuthenticate human to machineAuthenticate machine to machine

Authorization: Are you allowed to do that?Once you have access, what can you do?Enforces limits on actions

Basic Access Control Concepts

SubjectsActive entities that do thingse.g. humans

ObjectsPassive things that things are done to e.g. files, data, websites

RightsActions that are takene.g. read, write, share

Access Control Models

Authenticated users can access the system based on:Discretionary Access Control (DAC)Mandatory Access Control (MAC)Role-Based Access Control (RMAC)Rule-Based Access Control (RMAC)


Discretionary Access Control (DAC) Subjects have full control of objects they have The “discretionary” part of DAC means that a file owner has the

ability to change the permissions on that file Most Common access control system. Commonly used in both

UNIX and Windows operating systems Uses file permissions and ACLs to restrict access based on the

user’s identity or group membership File’s owner can change the file’s permissions any time they want


Mandatory Access Control (MAC) Restricts access based on the sensitivity of the information

and whether or not the user has the authority to access that information.

Each subject and object is labeled with a sensitivity level U.S. Government security labels:

• Top Secret (grave damage)• Secret (serious damage)• Confidential (damage)• Unclassified

A subject may access an object only if its clearance is equal to or greater than the object’s label MAC systems are usually focused on preserving the confidentiality of

data


Role-Based Access Control (RBAC)Role-based access control (RBAC) is the process of

managing access and privileges based on the user’s assigned roles

Example: SecurityAdmin, DatabaseAdmin, EmailAdmin, Nurse

Rule-Based Access Control (RBAC)Access is either allowed or denied based on a set of

predefined rules that are established by the administrator

Example: Limited login hours, Limited BitTorrent traffic

Access Control Models Examples

Organization Goal Preferred AccessControl Model

Normal Level of SecurityHigh Turnover RateHigh Level of Security

What Next? … Access Control Administration

Once the organization determine what type of access control model it will be using Its needs to identify administration type to support that model

Access control administration can be: Centralized

Maintain username and permissions in one location One entity makes all access decisions about AAA: Authentication, Authorization, and Accountability e.g. SSO, RADIUS, Diameter, TACACS

Decentralized Store username and permissions in different locations Allows the IT administration to be closer to the mission and operations of the organization

Centralized Access Control Administration

RADIUS Remote Authentication Dial In User Service (RADIUS) The protocol is a third party authentication system Considered an “AAA” system, comprising three

components: authentication, authorization, and accounting

Authenticates a subject’s credentials against an authentication database Authorizes users by allowing specific users access to specific data objects Accounts for each data session by creating a log entry for each RADIUS connection made


Diameter RADIUS’s successor, designed to provide an improvedAuthentication, Authorization, and Accounting (AAA) framework RADIUS provides limited accountability and has problems withflexibility, scalability, reliability, and security Diameter more flexible, allowing support for mobile remote users

TACACS & TACACS+ Terminal Access Controller Access Control System (TACACS) A centralized access control system that requires users to send an ID and a static (reusable) password for authentication Reusable passwords are a security vulnerability:

Improved TACACS+ provides better password protection by

allowing two-factor strong authentication


Password Authentication Protocol (PAP) Not a strong authentication method A user enters a password, which is sent across the network in clear text. Sniffing the network may disclose plaintext passwords

Challenge Handshake Authentication Protocol (CHAP) Provides protection against playback attacks Uses a central location that challenges remote users CHAP depends upon a “secret” known only to the authenticator

and the peer. The secret is not sent over the link. Although theauthentication is only one-way, by negotiating CHAP in bothdirections the same secret set may easily be used for mutual

What Next? … Access Control Techniques

Once the organization determine what type of access

control model and administration it will be using It needs to identify techniques to support that model

Access control techniques can have three types: Administrative Technical Physical

Access control techniques can have six categories:Preventive, Deterrent, Detective, Corrective, Recovery, Compensating

Access Controls TypesAdministrative Policy, procedures, standards

e.g. Password policies, pre-employment checks, security

awarenessTechnical

Hardware or software for IT security Authentication, encryption, firewalls, anti-virus

Physical Controls that you typically see Key card entry, fencing, video surveillance, locks, guard dogs,

gates, guards, alarms, badges

Access Control Categories

The access controls can be used in six categories: Preventive – Avoids an incident from happeningDeterrent – Discourages a potential attackerDetective – Alerts and aids in identification after the

factCorrective – Repairs damage and restore systems after

an eventRecovery – Restores normal operationsCompensating – Contains weaknesses in other systems


Preventive controlsIntended to avoid an incident from

happeninge.g. Firewalls, Anti-virus software, Fence,

Policies, Pre-employment, screening


Deterrent controls Intended to discourage a potential attackerHighly Visible

e.g. Guards, guard dogs, electric fence signDetective controls Alerts and aids in identification after the fact

e.g. Video surveillance, audit logs, IDS motion detector


Corrective controlsFixes components or systems after an incident

has occurredPost-event controls to prevent recurrence

Can be preventive, detective, deterrent, administrative

e.g. Termination, Reassignment, Reboot, Restart, Fire Extinguisher, Antivirus


Recovery controls Intended to bring controls back to regular operationse.g. Hot-site, backups, incident response plan

Compensating controlsAdditional security control put in place to

compensate for weaknesses in otherse.g. Daily monitoring of anti-virus console, Monthly

review of administrative logins, Web Application Firewall used to protect buggy application

Access Control Types & Categories

Access Control Types & Categories

Access Control Principles

1. Least Privilege2. Separation of Duties3. Implicit Deny4. Job Rotation5. Layered Security6. Diversity of Defense7. Security Through Obscurity8. Keep it Simple


Least PrivilegeA subject (user, application, or process) should

have only the necessary rights and privileges to perform its task with no additional permissions

By limiting an object's privilege, we limit the amount of harm that can be caused

For example, a person should not be logged in as an administrator— they should be logged in with a regular user account, and change their context to do administrative duties


Separation of Duties For any given task, more than one individual needs to be involved Applicable to physical environments as well as network and host security No single individual can abuse the system Important tasks include:

• Financial transactions• Software changes• User account creation / changes

Potential drawback is the cost• Time – Tasks take longer• Money – Must pay two people instead of one


Implicit DenyIf a particular situation is not covered by any of

the rules, then access can not be grantedAny individual without proper authorization

cannot be granted accessThe alternative to implicit deny is to allow access

unless a specific rule forbids it


Job RotationThe rotation of individuals through different tasks

and duties in the organization's IT departmentThe individuals gain a better perspective of all the

elements of how the various parts of the IT department can help or hinder the organization

Prevents a single point of failure, where only one employee knows mission critical job tasks

Access Control PrinciplesDiversity of Defense

This concept complements the layered security approach

Diversity of defense involves making different layers of security dissimilar

Even if attackers know how to get through a system that compromises one layer; they may not know how to get through the next layer that employs a different system of security

Access Control PrinciplesKeep it SimpleThe simple security rule is the practice of keeping

security processes and tools is simple and elegantSecurity processes and tools should be simple to

use, simple to administer, and easy to troubleshoot

A system should only run the services that it needs to provide and no more

Access Control Threats & Countermeasures

Attack Countermeasure

Port Scanning

Application Vulnerability Scanning

Denial Of Service (DOS or DDOS)

Man in the Middle Attacks

(Sniffing & TCP Hijacking)

Virus, Worm, Trojan, Logic Bomb

Password Attacks

(Guessing, Dictionary, Brute Force)

Social Engineering

(Spoofing, Phishing)

Physical Attacks

Access Control Assessment Penetration Testing Performed by an authorized white hat hacker to

determine whether a black hat hacker can do the same Hacker can have:

Zero knowledge “blind” – has public information only Full knowledge – has internal information, e.g. network diagrams, policies, procedures, reports from previous testers Partial knowledge – has limited trusted information

Vulnerability Testing Scans network or system for list of predefined vulnerabilities Examples of automatic tools: Nessus, MBSS, Retina, ISS Security Audit Organization is tested against a published standard e.g. Payment Card Industry (PCI) compliant

Extra reading

Henric Johnson 66

KERBEROS

In Greek mythology, a many headed dog, the guardian of the entrance of Hades

Kerberos

Henric Johnson 67

KERBEROS• Problem statement:– Users wish to access services on distributed servers.– Servers wish to restrict access to authorized users and

authenticate requests for service.• Three threats exist:– User pretend to be another user.– User alter the network address of a workstation.– User eavesdrop on exchanges and use a replay attack.

Kerberos

Henric Johnson 68

What is KERBEROS ?

• A key distribution and users authentication service developed at MIT– Provides a centralized authentication server to

authenticate users to servers and servers to users.– Relies on conventional encryption, making no use of

public-key encryption• Two versions: version 4 and 5• Version 4 makes use of DES

What is Kerberos?

Kerberos Requirements

• Its first report identified requirements as:– secure– reliable– transparent– scalable

• Implemented using an authentication protocol based on Needham-Schroeder

Kerberos Requirements

Kerberos v4 Overviewa basic third-party authentication schemehave an Authentication Server (AS)

users initially negotiate with AS to identify self AS provides a non-corruptible authentication

credential (ticket granting ticket TGT) have a Ticket Granting server (TGS)

users subsequently request access to other services from TGS on basis of users TGT

using a complex protocol using DES

Kerberos v4 - Overview

Henric Johnson 71

Kerberos Version 4 – related terms

• Terms:– C = Client– AS = authentication server– V = server– IDc = identifier of user on C– IDv = identifier of V– Pc = password of user on C– ADc = network address of C– Kv = secret encryption key shared by AS an V– TS = timestamp– || = concatenation

Kerberos v4 – related terms

Henric Johnson 72

(1) C AS: IDc || Pc || IDv

(2) AS C: Ticket

(3) C V: IDc || Ticket

Ticket = EKv[IDc || Pc || IDv]

A simple authentication dialogue

Henric Johnson 73

Version 4 Authentication Dialogue

• Problems:– Lifetime associated with the ticket-granting ticket– If to short repeatedly asked for password– If to long greater opportunity to replay

• The threat is that an opponent will steal the ticket and use it before it expires


Henric Johnson 74

Version 4 Authentication DialogueAuthentication Service Exhange: To obtain Ticket-Granting Ticket

(1) C AS: IDc || IDtgs ||TS1(2) AS C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Echange: To obtain Service-Granting Ticket

(3) C TGS: IDv ||Tickettgs ||Authenticatorc

(4) TGS C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]

Client/Server Authentication Exhange: To Obtain Service

(5) C V: Ticketv || Authenticatorc

(6) V C: EKc,v[TS5 +1]


Kerberos v4 – detailed DialogueKerberos v4 – detailed Dialogue

Henric Johnson 76

Kerberos operationKerberos operation

Kerberos Realms

• A Kerberos environment consists of:– a Kerberos server– a number of clients, all registered with server– application servers, sharing keys with server

• this is termed a realm– typically a single administrative domain

• if have multiple realms, their Kerberos servers must share keys and trust

Kerberos Realms

Request for Service in Another Realm

Henric Johnson 79

• Kerberos V5 was developed in mid 1990’s• Specified as Internet standard RFC 1510• Provides improvements over v4, in terms of:– Encryption system dependence (V.4 DES)– Internet protocol dependence– Message byte ordering– Ticket lifetime– Authentication forwarding– Inter-realm authentication

Main Differences Between Version 4 and 5

Henric Johnson 80

Kerberos - in practice Currently have two Kerberos versions:

• 4 : restricted to a single realm • 5 : allows inter-realm authentication, in beta test • Kerberos v5 is an Internet standard • specified in RFC1510, and used by many utilities To use Kerberos: • need to have a KDC on your network • need to have Kerberised applications running on all participating systems • major problem - US export restrictions • Kerberos cannot be directly distributed outside the US in source format (&

binary versions must obscure crypto routine entry points and have no encryption)

• else crypto libraries must be reimplemented locally

Kerberos in practice

Education

Week3 lecture