1 / 22

CMPE208 Presentation

CMPE208 Presentation. Terminal Access Controller Access Control System Plus ( TACACS+ ) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin). Agenda. Introduction – TACACS+ Format and Header Values TACACS+ Operations (AAA) Vulnerabilities Conclusion. Introduction – TACACS+.

byron-pena
Download Presentation

CMPE208 Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

  2. Agenda • Introduction – TACACS+ • Format and Header Values • TACACS+ Operations (AAA) • Vulnerabilities • Conclusion

  3. Introduction – TACACS+ • TACACS+ (terminal access controller access-control system plus), pronounced as “tack-acks plus” • TACACS+ originated from the TACACS and extended TACACS protocols. But it is notcompatible with them. • A Cisco proprietary protocol. • provides the access control for routers, network access servers, and many other networked computing devices through one or more centralized servers. • Provides separate Authentication, Authorization, and Accounting services for server access.

  4. Format and Header Values • Every TACACS+ packet has the 12 byte header. • Always sent in clear text format.

  5. TACACS+ Authentication • who is allowed to gain access to the network. • Using usernames and passwords, or “one time” passwords. • takes place when the user first logs in to a machine or requests a service of it. • packet types: START, CONTINUE and REPLY. • START and CONTINUE are always sent by the client; • REPLY is always sent by the daemon.

  6. Authentication Process 1. connection request from the user; 2. START packet is sent to the AAA server; 3. REPLY packet is sent back, requesting user name; 4. sends a CONTINUE packet to AAA server with username; 5. REPLY packet is sent back, asking password; 6. sends a CONTINUE packet to AAA server with password; 7. REPLY packet is sent back to indicate a pass/fail of authentication; TACACS+ Authentication Process

  7. TACACS+ Authorization • what a user is allowed to do. • what services the user has access to. • customize the service for the particular user. • An authorization session is defined as a single pair of messages, a REQUEST followed by a RESPONSE.

  8. Authorization Process 1. resource request from the user; (assuming authentication has already taken place) 2. A REQUEST packet is sent to AAA server for certain service; 3. A REPONSE packet is sent back, indicating a pass or fail; 4. user access is granted or denied; TACACS+ Authorization Process

  9. follows the processes of authentication & authorization maintains complete accounting information used either for billing purposes of the services or for security reasons. TACACS+ accounting also uses the two message types: a REQUEST and a REPONSE TACACS+ Accounting

  10. Accounting Process 1. A resource request from user; 2. A REQUEST packet, including START, STOP, or CONTINUE, is sent to AAA server; 3. A RESPONSE packet is sent back, including SUCCESS, ERROR, or FOLLOW; TACACS+ Accounting Process

  11. Vulnerabilities of TACACS+

  12. Lack of Integrity Checking • No integrity checking exists in TACACS+ • ‘MD5- encryption stream cipher’ mechanism is used. • Make changes to accounting packets. Example: Modifying elapsed time from 8000 to 1000

  13. 2) Vulnerability to replay attacks • No protection against replay attacks. • TACACS+ session starts with sequence number 1. • Accounting sessions have only one packet. • Duplicate accounting records can be produced, with forged task_id fields.

  14. 3) Session ID collision • More unique IDs the more stronger the encryption is. • Multiple sessions get the same ID, leading to frequency analysis attack. • Plaintext of one session know leads to decrypt the other session with the same sequence and session ID. • TACACS+ server encrypts reply packet with own session ID.(Mostly when the sequence number of the packet is 2).

  15. 4) The Birthday paradox • Session IDs are too small. • Leads to less unique IDs. Example: 100, 000 TACAS+ sessions  20, 000 dial up sessions 1000 matches per moth Few 100 user passwords.

  16. 5) Lack of Padding • No padding in any fields or end of the packet. • Variable size data fields determined from the packet sizes. • Reveals the length of the user passwords.

  17. 6) MD5 Context Leak • Theoretical vulnerability • MD5- like hashes(16 bytes long) should be avoided. • TACACS+ packets encrypted by XOR’ing the MD5 hashes. • MD5_1=MD5(session_id, key, version, seq_no) • MD5_2=MD5(session_id, key, version, seq_no, MD5_1)

  18. 7) DoS and/or Overflow • Denial of Service – attempt to make resources unavailable to intended users. • Unlike others, it is an implementation defect. • No sanity check • Not check for an integer overflow in calculating the total memory size to allocate.

  19. FIXES • Apply Packet Filtering • Choose Strong Encryption Keys • Avoid running tac_plus as root.

  20. Conclusion • TACACS+ is a Cisco Proprietary protocol facilitating AAA model in Cisco Devices. • It provides AAA communication between AAA client and AAA server. • It improves on TACACS and XTACACS by separating the authentication, authorization and accounting. • More preferred since it uses TCP- reliable protocol.

  21. Reference • [1] “The TACACS+ Protocol”, Version 1.78. by D. Carrel, Lol Grant, Cisco Systems, January, 1997. http://tools.ietf.org/html/draft-grant-tacacs-02 • [2] “TACACS+ Protocol”, Version 1.76. by D. Carrel, Lol Grant, Cisco Systems, October, 1996. http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt[3] Cisco Access Control Security: AAA Administrative Services, by Brandon Carroll. May 27, 2004 • [4] “TACACS+ Authentication for HTTP Server Users” http://www.cisco.com/warp/public/480/http-2.html • [5] “TACACS+ and RADIUS Comparison”. http://www.cisco.com/warp/public/480/10.html

  22. Q & A? • Thanks!

More Related