190 likes | 895 Views
Authentication servers: RADIUS TACACS+. CS772 Fall 2007. User, through a initiates PPP authentication to the NAS. NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP]). User replies.
E N D
Authentication servers: RADIUSTACACS+ CS772 Fall 2007
User, through a initiates PPP authentication to the NAS. • NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP]). • User replies. • RADIUS client sends username and encrypted password to the RADIUS server. • RADIUS server responds with Accept, Reject, or Challenge. • The RADIUS client acts upon services and services parameters bundled with Accept or Reject.
User, through a initiates PPP authentication to the NAS. • NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP]). • User replies. • RADIUS client sends username and encrypted password to the RADIUS server. • RADIUS server responds with Accept, Reject, or Challenge. • The RADIUS client acts upon services and services parameters bundled with Accept or Reject.
Radius: Introduction • RADIUS (Remote Authentication Dial In User Service) • A server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations. • http://www.gnu.org/software/radius/#introduction • Authentication Schemes: • user supplies his authentication data to the server either directly by answering the terminal server's login/password prompts • server obtains the user's personal data from one of the following places: • System Database • The user's login and password are stored in /etc/passwd on the server • Internal Database • The user's login ID, password etc. are stored in the internal radius database. The user's password is stored in encrypted form using either MD5 or DES hash, whichever is appropriate • SQL authentication • User's details are stored in an SQL database. The database structure is fully determined by the system administrator, Radius does not restrict it in any way. • PAM authentication • User is authenticated via PAM (Pluggable Authentication Service) framework.
RADIUS – Introduction ( contd.) • Radius has three built-in accounting schemes: • Unix accounting • Accounting data are stored in radutmp/radwtmp files and can be viewed using radwho and radlast commands. Both commands are upward compatible with their Unix counterparts who and last. • Detailed accounting • The detailed accounting information is stored in plain text format. The resulting files can easily be parsed using standard text processing tools (grep, awk, etc.) • SQL accounting • Upon receiving accounting information Radius stores it in an SQL database. This can then be processed using standard SQL queries. • Radius is extensible and new accounting methods can be added using the extension language.
RADIUS Protocol • http://www.untruth.org/~josh/security/radius/radius-auth.html (Analysis) • http://www.ietf.org/rfc/rfc2865.txt (specification)
Why use RADIUS? • It is commonly used for embedded network devices such as routers, modem servers, switches, etc. It is used for several reasons: • The embedded systems generally cannot deal with a large number of users with distinct authentication information. • RADIUS facilitates centralized user administration, which is important for several of these applications. Many ISPs have tens of thousands, hundreds of thousands, or even millions of users. • RADIUS consistently provides some level of protection against a sniffing, active attacker. Other remote authentication protocols provide either intermittent protection, inadequate protection or non-existent protection. RADIUS's primary competition for remote authentication is TACACS+ and LDAP. LDAP natively provides no protection against sniffing or active attackers. TACACS+ is subtly flawed.
RADIUS Issues • The User-Password protection scheme is a stream-cipher, where an MD5 hash is used as an ad hoc pseudorandom number generator (PRNG). The security of the cipher rests on the strength of MD5 for this type of use and the selection of the shared secret.
Side issue: Stream Ciphers • A stream cipher is a type of symmetric encryption algorithm. Stream ciphers can be designed to be exceptionally fast, much faster than any block cipher . • While block ciphers operate on large blocks of data, stream ciphers typically operate on smaller units of plaintext, usually bits. With a stream cipher, the transformation of these smaller plaintext units will vary, depending on when they are encountered during the encryption process. • A stream cipher generates what is called a keystream (a sequence of bits used as a key). Encryption is accomplished by combining the keystream with the plaintext, usually with the bitwise XOR operation. • Current interest in stream ciphers is most commonly attributed to the appealing theoretical properties of the one-time pad. A one-time pad uses a string of bits that is generated completely at random. The keystream is the same length as the plaintext message and the random string is combined using bitwise XOR with the plaintext to produce the ciphertext. Since the entire keystream is random, even an opponent with infinite computational resources can only guess the plaintext if he or she sees the ciphertext. • Stream ciphers were developed as an approximation to the action of the one-time pad. While contemporary stream ciphers are unable to provide the satisfying theoretical security of the one-time pad, they are at least practical. • As of now there is no stream cipher that has emerged as a de facto standard. The most widely used stream cipher is RC4. Interestingly, certain modes of operation of a block cipher effectively transform it into a keystream generator and in this way, any block cipher can be used as a stream cipher; as in DES in CFB or OFB modes However, stream ciphers with a dedicated design are typically much faster.
Side Issue: PAP • Password Authentication Protocol, sometimes abbreviated PAP, is a simple authentication protocol used to authenticate a user to a network access server used for example by internet service providers. PAP is used by Point to Point Protocol. Authentication is a process of validating a user before accessing the resources. Almost all network operating system remote servers support PAP. • PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP (while the last is actually a framework). • PAP works as follows: • 1. After the link is established, the client sends a password and username to the server bundled as one LCP packet. • 2. The server (the modem card in the modem racks) recognizes the packet as a PAP authentication request, and sends the data to the RADIUS server (the database of usernames and passwords). • 3. RADIUS either validates the request and sends back an acknowledgement to the modem card, terminates the connection, or offers the client another chance. Passwords are sent as plain text. • The difference between PAP authentication and a manual or scripted login, is that PAP is not interactive. The username and password are entered in the client's dialing software and sent as one data package as soon as the modems have established a connection, rather than the server sending a login prompt and waiting for a response.
Side Issue: CHAP • CHAP (Challenge-Handshake Authentication Protocol) is a more secure procedure for connecting to a system than the Password Authentication Procedure (PAP). • Here's how CHAP works: • After the link is made, the server sends a challenge message to the connection requestor. The requestor responds with a value obtained by using a one-way hash function. • The server checks the response by comparing it its own calculation of the expected hash value. • If the values match, the authentication is acknowledged; otherwise theconnection is usually terminated. • At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP. RFC1334 defines both CHAP and PAP.
TACACS+ • A major paradigm shift in remote network access is the shift from terminal access to LAN access. Single users are connecting to the corporate network with computers (notebooks or PCs from home) that can sustain complete network connections. These users no longer connect as unfriendly terminals but connect in the same way they do at work: as a LAN user. • TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol which provides access control for routers, network access servers (NAS) and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services. • Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the two operations. Another difference is that TACACS+ uses the Transmission Control Protocol (TCP) while RADIUS uses the User Datagram Protocol (UDP). Most administrators recommend using TACACS+ because TCP is seen as a more reliable protocol. • http://www.cisco.com/warp/public/614/7.html
Advantages of the TACACS+ Protocol: • TCP-based for more security • Provide three separate protocol components, each of which can be implemented on separate servers • Authentication provides complete server control of the authentication process, which includes: • login and password query • Challenge/response • Messaging support (any) • Encrypted in MD5 • Replaceable with Kerberos 5 • Authorization allows "remote" access control and enhanced granularity. Features include: • One authentication • Authorization for each service • Per-user access list and user profile • Users can belong to groups • IP and Telnet support (IPX, ARA future) • Any access or command and permission or restrictions
Examples of the "AAA" Functionality • The authorization component in TACACS+ allows greater levels of control over user actions and can be used to create separate administrative groups that are based on user functionality. • For example, a network manager might want to restrict a user to perform certain functions on the access server or router. Within the access server, a user might be restricted to PPP or SLIP and only be permitted to connect to a specific host address. • Another example of the flexibility of the authorization subsystem is forcing a user to connect to a particular host if an attempt is made to connect to a specific host. In the case of the router's command line user interface, a restriction might be placed on executing particular EXEC commands such as reload. • The authentication protocol can also generate an autocommand. Once a user is authenticated, this runs any command within the access server system and is very powerful for complete access management. Network managers can use the accounting component to track user activity for a security audit trail or to provide billing information. A report might be structured to provide: user identity, start and stop times, executed commands, number of packets, and number of bytes. • Password aging is another example of the capabilities that are now available with TACACS+. A server supporting TACACS+ can send a message back to users, telling them to change their passwords as part of the login sequence. They will not be allowed access unless they change their passwords at that time.
Vulnerabilities • Lack of integrity checking. Almost no integrity checking exists in TACACS+. The only check defined in the RFC draft is to make sure the sum of component lengths matches the total size of the packet. • Vulnerability to replay attacks. • TACACS+ lacks virtually any protection against replay attacks. The only requirement is that packets have a correct sequence number. • Since all TACACS+ sessions start with a sequence number of 1 (not a vulnerability in and of itself), the TACACS+ server will always process a packet with seq_no set to 1. • Especially easy to replay are accounting sessions, which consist of only one packet sent to the server (with a seq_no of 1). Obviously, it is also possible to replay the packets with certain bits flipped, such as to get different task_id's in case a billing system is smart enough to check for duplicate records. • The fact that TACACS+ uses TCP provides no security against replay, as new TCP connections may be opened by an attacker for replaying recorded TACACS+ sessions.