1 / 24

Distributed Security Issues 2

Distributed Security Issues 2. CP3397 Design of Networks and Security. Objectives. To investigate Authentication techniques Authorisation techniques. Administration issues. Authentication. The process of establishing proof of identity at least two levels required:

nizana
Download Presentation

Distributed Security Issues 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Distributed Security Issues 2 • CP3397 • Design of Networks and Security

  2. Objectives • To investigate • Authentication techniques • Authorisation techniques. • Administration issues

  3. Authentication • The process of establishing proof of identity at least two levels required: • One - Client connects to Server • includes both machine and user • Two - for every message communicated • Common mechanisms • Password protection • may need encryption over network • Message authentication • often uses a checksum

  4. Symmetric encryption - DES • DES is a block cipher that operates on 64 bit data fragments using 56 bit key • In the Chain Block Cipher (CBC) mode, each block of plaintext is exclusive-ORed with the ciphertext output from the previous encryption operation. Thus, the next block of ciphertext is a function of its corresponding plaintext, the 56-bit key and the previous block of ciphertext. • Identical blocks of plaintext no longer generate identical ciphertext, which makes this system much more difficult to break.

  5. The CBC mode of DES is the normal technique used for encryption in modern business data communications. • A variation on CBC is used where the message may not be a multiple of 64 bits, or where interactive (character at a time) encryption and decryption is desired. This is called Cypher Feedback Mode (CBM), and uses shift registers to permit one byte at a time to be encrypted or decrypted.

  6. Network Authorisation Firewalls • A Firewall is a particular type of network authorisation mechanism • It can operate at the boundary of a network, i.e. between a LAN and the Internet or at the boundary of a security domain i.e two separate security domains on one LAN • A firewall filters messages destined for specific objects

  7. Firewalls – in concept • It is a installation that regulates the flow of traffic between network segments. • Based its decisions on the idea that some of the packets may be coming from a non-secure segment into a secure one • Decisions based on:- protocols used, destination address, source address etc.

  8. FireWalls The Outside World The secure network ??? The secure Network ? A Firewall

  9. Firewalls - technically • Can be either software or hardware – just impellent the rules/policy Inside network Outside network Router Router Application gateway Packet filtering Packet filtering

  10. Routers • These can make decisions on whether to forward a packet based on its destination or source Address, and port no – stop users telneting in etc. • Packets failing tests are just dropped without informing sender • Router on internet side firewall decides if packet can enter LAN • Router on LAN side decides if packet can leave LAN – bit more tricky as port numbers are assigned according to convention, also some services (e.g. FTP) port numbers are assigned dynamically - security could be bypassed

  11. Application Gateway • Operates at the application level – inspects contents of packets. • Can do virus scanning on packets, or check emails for improper content etc. In practice may be too time consuming – so full service may not be attempted • May also do NAT at this point – leads to internal addressing which can make hacking more difficult

  12. Firewalls • Denial Of Service – firewalls cannot combat these attacks as they mask a genuine request • Hacker sends a TCP/SYN packet to establish connection – web server allocates a table slot for the connection and sends SYN + ACK packet back. If hacker does not respond table slot tied up for few seconds until timed out. • Hacker sends 1000’s of these and table slots all tied up with these – no legitimate connections can be made – DOS. • Usually request packets have false IP address in to mask hacker • Worst variant is a Distributed Denial of service attack – hacker already broken into hundreds of computers around world and get them to attack your website – difficult to defend against even if detected the CPU is tied up processing and discarding these bogus requests

  13. Non-Repudiation • The process of establishing beyond doubt • The identityof the sender - proof of origin • That delivery has taken place - proof of delivery • e.g. Electronic Data Interchange (EDI) • ensuring that an order is genuine • ensuring that an invoice has been received • Cryptography can be used for Digital Signature • if an originator’s public key will decrypt a message, the originator must have sent it

  14. Possible attacks • Impostor • Ian logs onto the server but then pretends to be Andy • Eavesdropper • Ian logs onto the server but sits and listens to Andy’s conversation with the server and gathers some very sensitive data • Replay • A packet is copied and then resent later by an impostor – could be a packet with the encrypted password in from a legitimate user

  15. Man in the middle attack Ian Andy Serve r Z Andy Sever Z Andy thinks he is talking to server Z, he is actually talking to Ian, and the sever z thinks his conversation is with Andy but in fact it is with Ian And there are more possible attack scenarios

  16. Kerberos protocol • Those attacks all pose different problems in authorisation • Authorisation is compromised and so is data integrity, with the complication of data being replayed at a later date. • Kerberos makes use of a trusted third party, termed a Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users.

  17. Kerberos overview • Kerberos maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to Kerberos. Knowledge of this key serves to prove an entity's identity. • For communication between two entities, Kerberos generates a session key which they can use to secure their interactions.

  18. Kerberos overview Authenticator Server (AS) Who am I? Ticket Granting Server (TGS) Andy Ticket Session Session Server

  19. Kerberos overview • Is based on symmetric cryptography to pass keys between and authentication server and the client. • Basic idea that the client uses long lived memorised passwords to get short lived keys, that aren't worth stealing from these insecure desktops • Two versions of Kerberos are in widespread use (4 and 5)

  20. Kerberos simplified view • On a "normal" network which uses passwords to authenticate users, when a user requests a network service that requires authentication, the user is prompted to type in their password. The password is transmitted in plaintext over the network, and access to the network service is granted. • The central problem solved by Kerberos is how to use passwords for authentication without sending them over the network • It’s important to remember that in any Kerberos authentication dialogue, there are three parties: the Kerberos server, the client requesting a service, and the server requesting proof of identity. They all need to have credentials—principals, in Kerberos-terminology—stored in the Kerberos database.

  21. Kerberos overview - LINUX • the Kerberos database contains:- • principals and their keys (for users, their keys are derived from their passwords). • also contains keys for all of the network services. • When a user on the network logs in to their workstation, their principal is sent to the Key Distribution Center (KDC) as a request for a Ticket Granting Ticket (TGT). This request can be sent by the login program (so that it is transparent to the user) or can be sent by the kinit program after the user logs in. • The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT, encrypts it using the user's key, and sends it back to the user.

  22. Kerberos overview • The login program or kinit decrypts the TGT using the user's key (which it computes from the user's password). The TGT, which is set to expire after a certain period of time, is stored in your credentials cache. • An expiration time is set so that a compromised TGT can only be used for a certain period of time, usually eight hours (unlike a compromised password, which could be used until changed). The user will not have to re-enter their password until the TGT expires or they logout and login again. • When the user needs access to a network service, the client uses the TGT to request a ticket for the service from the Ticket Granting Service (TGS), which runs on the KDC. • The TGS issues a ticket for the desired service, which is used to authenticate the user.

  23. Practicalities • Kerberos needs to consider both efficiency and security • Security means tickets should expire quickly (seconds) to stop replay • Efficiency means hours to reduce the load on the TGS • Even with tickets having long lifetimes the need for a centralised ticket server would prevent Kerberos being scalable across anything other than a modest sized network • Overcome by Kerberos split the server into an authentication server and the TGS. • Allows the nodes in a large network to be partitioned into several groups- each with own server that knows only about the other servers and about the nodes in its group • Means if your in own domain you need a ticket from your own TGS to talk to the TGS in the other domain to get a ticket to talk to other servers in that group

  24. Summary • Using Authentication we can attempt to eliminate intrusion • We can also attempt to eliminate masquerade • There is no such thing as a perfect authentication system • You must be aware of the risk when you allow external access to any network.

More Related