254542 Networks Management and Security Lecture 4.

254542 Networks Management and

Security

Lecture 4

Authentication Protocols

• A process of verifying that its communication partner is not an imposter

• Authenticity does not mean authority

• Alice and Bob are called principals

• Authenticated based on..– Shared secret key– trusted 3rd party = key distribution center (KDC)

Secret-key Authentication

• Assuming A and B already share KAB

• Based on challenges and responses

• Ri = Challenge from the ith challenger

• Ki = Key from the ith owner

• KS = session key

Authentication using a challenge-response protocol

AA

RRBB

KKABAB(R(RBB))

RRAA

KKABAB(R(RAA))

Alic

eA

lice

Bo

bB

ob

After all the responses, A can determine KAfter all the responses, A can determine KSS

and send it to B in an encrypted formand send it to B in an encrypted form

Shortened authentication using challenge-response protocol

A, RA, RAA

RRBB, K, KABAB(R(RAA))

KKABAB(R(RBB))

Alic

eA

lice

Bo

bB

ob

Is it secure?Is it secure?

Reflection Attack

A, RA, RTT

RRBB, K, KABAB(R(RTT))

KKABAB(R(RBB))

Tru

dyT

rudy

Bo

bB

obA, RA, RBB

RRB2B2, K, KABAB(R(RBB))

3 Rules for Designing Authentication Protocol

• Prove the initiator’s identity before the responder has to

• Use different keys for the initiator and responder (i.e. KAB and K’AB)

• The initiator and responder should use different sets of challenges (e.g. even and odd numbers)

Authentication Based on KDC

• Previous protocol key management problem• With KDC, each user has a single shared key• The simplest known protocol = wide mouth frog

A, KA, KAA(B, K(B, KSS))

Alic

eA

lice

Bo

bB

ob

KKBB(A, K(A, KSS))

KD

CK

DC

What about a replay attack?What about a replay attack?

Solutions to the Replay Attack

• Timestamp– Still vulnerable before a message is obsolete

• Nonce (one-time, unique message number)– Each party has to remember nonces forever– Or a combination between nonce & timestamp

Needham-Schroeder Authentication Protocol

RRAA, A, B, A, B

Alic

eA

lice

Bo

bB

ob

KKBB(A, K(A, KSS), K), KSS(R(RA2A2))

KD

CK

DC

KKAA(R(RAA, B, K, B, KSS, K, KBB(A, K(A, KSS))))

KKSS(R(RA2A2 -1), R -1), RBB

KKSS(R(RBB -1) -1)

RRAA = Nonce, K = Nonce, KBB(A, K(A, KSS) = Ticket) = Ticket

* Replay attack at message 3 with old K* Replay attack at message 3 with old KSS

Otway-Rees Authentication ProtocolA

lice

Alic

e

Bo

bB

ob

KD

CK

DC

A, KA, KAA(A, B, R, R(A, B, R, RAA),),

B, KB, KBB(A, B, R, R(A, B, R, RBB))

KKBB(R(RBB, K, KSS))

KKAA(R(RAA, K, KSS))

A, B, R, KA, B, R, KAA(A, B, R, R(A, B, R, RAA))

Authentication using Kerberos

• Developed by MIT, currently in version 5• Widely used in real world• Assumes that all clocks are well synchronized• Involves 3 servers

– Authentication Server (AS) verifies users during login– Ticket-Granting Server (TGS) issues “proof of identity

tickets”– Bob the server performs work requested by Alice

Servers’ duties

• AS – Shares a secret key with every user– Similar to KDC

• TGS– Issues tickets to verify the identity of the TGS

ticket bearer

Kerberos Operation

AA

Alic

eA

lice KKTGSTGS(A, K(A, KSS), B, K), B, KSS(t)(t)

AS

AS

KKAA(K(KSS, K, KTGSTGS(A, K(A, KSS))))

KKBB(A, K(A, KABAB), K), KABAB(t)(t)

KKABAB(t+1)(t+1)

TG

ST

GS

Bo

bB

ob

KKSS(B, K(B, KABAB), K), KBB(A, K(A, KABAB))

• Alice is asked for her password after message 2 arrivesAlice is asked for her password after message 2 arrives

• Replay attack with message 3 doesn’t workReplay attack with message 3 doesn’t work

Kerberos in Real World

• Still susceptible to password-guessing attack– Heighten security at the user end

• PKI (public-key infrastructure) is being added into Kerberos– But still confined to initial requests to TGS

(why?)

Intrusion Detection Systems (IDS)

• Do not– Block or prevent attacks

• Do– Notify the systems when they are being hacked

• Host and Network IDS– NIDS mostly looks at the network traffic

• Detecting potential attacks

– Host IDS looks at host, OS, and application activities• Detecting attacks that already succeeded

IDS tools

• Auditing

• Detecting anomalous behaviors

• Pattern matching and detecting

• CERT (Computer Emergency Response Team) bulletin board – lists security problems that have been

discovered and reported

Auditing

• Logfile monitors– Host-based IDS scanning and analyzing

logfile– Pattern searching

• Integrity monitors– Watch key system structures (system files,

registry keys, etc) for change– Establish a ‘known safe baseline” (pre-attack)– Should be deployed on a clean system

Signature Matchers

• A stateful NIDS that detects attacks based on a database of known attack signatures– Stateful means that it can track fragmented

TCP packets (and reassemble them)– Stateless deals with individual packets

• E.g. snort (http://www.Snort.org), which is a freeware and open source

Anomaly Detectors

• NIDS, which – establishes a baseline of “normal” system– alerts when a deviation occurs– sometimes categorized into “traffic anomalies”

and “protocol anomalies”

• Problem: Network traffic is constantly changing, especially in large networks– Hybrid into a more host-based IDS

Interesting Profiles Worth Watching

• Login profile– Login/location frequency, last login– Session elapsed time, session output– Password fails, location fails

• Command/Program execution – Execution frequency, Program IO, program CPU– Execution denied, Program resource exhaustion

• File access activities– Read/write/delete/create frequency– Number of fails on read/write/delete/create– Number of records read/written– File resource exhaustion

Bayesian Analysis

• Applied to NIDS for diagnosis purpose

• NIDS problems– Keeping signature databases up to date– Coping with massive bandwidth (especially a

stateful NIDS)– Capabilities limited in switched networks– Vulnerable to attacks (e.g. DoS)

Sensitivity vs. Specificity

• TP = true positive (intrusion correctly detected)• FP = false positive (false alarm)• FN = false negative (intrusion missed)• TN = true negative (integrity correctly detected)

IntrusionIntrusion+ + --

IDS IDS responseresponse

++

--

TPTP FPFP

FNFN TNTN

Sensitivity

• Sensitivity = True positives /

(true positives + false negatives)

• More sensitivity = Less likeliness to miss actual intrusions

• For identifying attacks …– that should never be missed

– on areas that are easy to fix

• Best for “screening” (FN is more critical)

• Should be implemented here

InternetInternet

Corporate Corporate firewallfirewall

Web serverWeb server LANLAN

RouterRouter

Specificity

InternetInternet

Corporate Corporate firewallfirewall

Web serverWeb server LANLAN

RouterRouter

• Specificity = True negatives / (true negatives + false positives)

• More specificity = Less likeliness to produce false alarms– Useful tools for network

administrator

• For identifying attacks …– on areas in which automatic

diagnosis is critical

• Best when…– consequences for false-positive

results are serious

• Should be implemented here

Accuracy

• Accuracy = Percentage of all IDS results that are correct

• Encompass both sensitivity and specificity

• E.g. web server under constant attacks that needs– Screening for any slight

anomaly

– Automatic processes to deal with any incident (due to high traffic volume)

• Can be achieved by combining layers of different IDSs

InternetInternet

Corporate Corporate firewallfirewall

Web serverWeb server LANLAN

RouterRouter

Hacking IDSs:Fragmentation

• A.k.a. packet splitting

• Most common attack against NIDSs

• Splitting packets into smaller pieces – Difficult for analyses

• Stateful IDSs can prevent this attack but– Consume a more resources and become less

accurate as throughput increases

Hacking IDSs:Spoofing

• Spoofing TCP sequence numbers

• IDS becomes desynchronized from the host– And then ignores true data stream while

waiting for a forged sequence number

• IDS must be aware of the real target host

Hacking IDSs:Protocol Mutation

• For example, a typical CGI-bin request isGET /cgi-bin/script.cgi HTTP/1.0

• If IDS scans for /cgi-bin/cgi_script

• The attacker can modify the request toGET /cgi-bin/subdir/../script.cgi HTTP/1.0

“directory traversal”

• Solution: – Normalize traffic to look more uniform

Hacking IDSs:Attacking Integrity Checkers

• Integrity checkers– Initialize mode: compute checksum and collect

information– Check mode: look for changes– Update mode: update signature after system

reconfiguration

• Attacks– Send wrong information– Compromise the system between checks– Hide tracks by “correcting” the system by itself

Future of IDSs

• Encrypted traffic (IPSec)

• Increased speed and complexity of attacks

• Increased amount of data to interpret

• New evasion techniques

• New kernel-based attack

• Embed IDS throughout host stack

• Strict anomaly detection, optimized NIDS engines, intelligent pattern matching

• Visual display of data

• New traffic normalization techniques and deeper host awareness

• New kernel security mechanisms

ProblemProblem SolutionSolution