Security of Systems and Networks November 19 Lecture 7 Authentication & Kerberos Jaap van Ginkel
Security of Systems and Networks
November 19 Lecture 7 Authentication & Kerberos
Jaap van Ginkel
Authentication
SNE SSN
The problem illustrated
Thanks to Ton Verschuren
Terminology
• Identification: (“who are you?“)
• Authentication: (“prove it!”) (AUTHN)
• Authorization: (“these you can do”) (AUTHZ)
• Different levels of authentication:– Weak (something you know)– Strong (something you have and
something you know)– Biometrics (something you are)
Examples
• Something you Know– password– Address/birthday combination– Pin code
• Something you Have– Key– Bank card– Drivers license– Letter
• Something you Are– Finger print– DNA profile– Iris print
User name Password
• Weak authentication
• User Friendly– Works everywhere
• Very common• Alternatives difficult
• Extended Life span– Awareness– Safe implementation
Common passwords
• 123456 1375
• Ficken 404
• 12345367
• Hallo362
• 123456789 260
• Schatz253
• 12345678215
Chocolate passwords 2004 Research Liverpool Street Station
o 70% gave up password for chocolate http://news.bbc.co.uk/2/hi/technology/3639679.stm
Alternatives
Passfaces
• Click here if you are doing the Passfaces demo for the first time
Passclicks
http://labs.mininova.org/passclicks/
But where do people click
Certificate based• Public Key Infrastructure• X.509 certificates
• Open standard• Can be used in strong Authentication• Complex for end user• High cost• Used for server side authentication• Wide support
Smart cards
• Not many successful implementations– Card reader
– Logistics
– Expensive
• Standardisation poor
USB Tokens
• Smartcard with reader
SecureID
• One time pad
• Pin code
• Easy to integrate
• Clock sync
One Time Pads
• Maurits van der Schee
WEBISO
• Web Initial Signon
• Framework en architectuur
• Brede steun
Athens
• British• 1996
• Aimed at libraries• Health sector • Very successful
– Millions of users
• Migrated to Shibboleth SAML 2.0
PAPI
• Spaans initiatief• In productie
• Bewezen inter organistie
• Redelijke steun • Naar SAML
Pubcookie
• University Washington
• Lijkt sterk op A-select• Brede steun
A-select
• Dutch Initiative• SURFnet
• No open source• Many platform2• Harde authenticatie
met Niegefoon en Niegebach
• DiGID
Shibboleth
• Sheveningen• Lollapalooza
•
• Internet 2 middle ware initiative• Good architecture• Focus on privacy
Shibboleth
What is Shibboleth?
• Internet2/MACE project (open source)
• “inter institutional” authorization for web resources
• Authorization with privacy
• User data remains local
• More control to user and home organization
• More control for publishers
Crossing the Jordan
• Pronounciation password
• War between Ephraimites and Gileadites
• Bible: Judges 12:1-15
• 42.000 were killed
Oud en Nieuw
• Zo zeiden zij tot hem: Zeg nu Schibboleth; maar hij zeide: Sibbolet, en kon het alzo niet recht spreken; zo grepen zij hem, en versloegen hem aan de veren van de Jordaan, dat te dier tijd van Efraim vielen twee en veertig duizend.
• …………
Onder Embargo tot 17:00 uur
……….
Shibboleth terminologie
Onderdelen:
1. Shibboleth Indexical Reference Establisher (SHIRE).2. Handle Service (HS)3. Where Are You From (WAYF)4. Authentication System (AS)5. Shibboleth Attribute Requestor (SHAR) 6. Resource Manager (RM)
1. Security Assertion Markup Language (SAML) 2. Attribute Release Policies (ARP).3. Attribute Acceptance Policies (AAP)
Shibboleth Architectuur
Shibboleth Toegang tot Science Direct
Scien
ce Direct
WAYF
UvA Elsevier1
SHIRE
Ik ken je niet van welke organisatie
ben jij eigenlijk3
2
Vertel me waar je vandaan komt
HS
5
6
Ik ken je niet, kun je je
eerst authenticeren
7
User DB
Credentials
OK, Nu ken ik je.Ik stuur je verzoek
door met een handle
4
OK, Ik stuur het verzoek naar de Handle Service
van jouw organisatie.
SHAR
Handle
Handle8
Ik ken de attributen van deze gebruiker niet en vraag ze op
Handle9AA
OK, ik geef de attributen door waar de gebruiker toestemming voor geeft
Attributes 10
Reso
urc e
Man
age r
Attributes
OK, Op basis van deze attributen
geef ik toegang
Demo
• Thanks to switch AAI• Resource is
– kohala.switch.ch
• WAYF is – wayf1.switch.ch
• Identity Provider is– maunakea.switch.ch
• http://www.switch.ch/aai/demo/demo_live.html
A-Select
• Integratie met Shibboleth– Nog geen productie
• Replacement PubCookie
• Many authenticatie methods
TIQR
TIQR
Dutch initiative SURFnet OAUTH
o Initiative for Open Authentication
OCRA o OATH Challenge-Response Algorithm
OpenID provider (OP) OpenID relying party (RP) Microsoft Google Facebook Paypal
Biometrics
Sheets van de uitgever
Something You Are• Biometric
– “You are your key” Schneier
Are
Know Have
• Examples● Fingerprint● Handwritten signature● Facial recognition● Speech recognition● Gait (walking) recognition● “Digital doggie” (odor recognition)● Many more!
Why Biometrics?• Biometrics seen as desirable replacement for
passwords• Cheap and reliable biometrics needed• Today, a very active area of research• Biometrics are used in security today
– Thumbprint mouse– Palm print for secure entry– Fingerprint to unlock car door, etc.
• But biometrics not too popular– Has not lived up to its promise (yet?)
Ideal Biometric• Universal applies to (almost) everyone
– In reality, no biometric applies to everyone• Distinguishing distinguish with certainty
– In reality, cannot hope for 100% certainty• Permanent physical characteristic being
measured never changes– In reality, want it to remain valid for a long time
• Collectable easy to collect required data – Depends on whether subjects are cooperative
• Safe, easy to use, etc., etc.
Biometric Modes
• Identification Who goes there?– Compare one to many– Example: The FBI fingerprint database
• Authentication Is that really you?– Compare one to one– Example: Thumbprint mouse
• Identification problem more difficult– More “random” matches since more comparisons
• We are interested in authentication
Enrollment vs Recognition• Enrollment phase
– Subject’s biometric info put into database– Must carefully measure the required info– OK if slow and repeated measurement needed– Must be very precise for good recognition– A weak point of many biometric schemes
• Recognition phase– Biometric detection when used in practice– Must be quick and simple– But must be reasonably accurate
Cooperative Subjects• We are assuming cooperative subjects• In identification problem often have
uncooperative subjects• For example, facial recognition
– Proposed for use in Las Vegas casinos to detect known cheaters
– Also as way to detect terrorists in airports, etc.– Probably do not have ideal enrollment conditions– Subject will try to confuse recognition phase
• Cooperative subject makes it much easier!– In authentication, subjects are cooperative
Biometric Errors• Fraud rate versus insult rate
– Fraud user A mis-authenticated as user B– Insult user A not authenticate as user A
• For any biometric, can decrease fraud or insult, but other will increase
• For example– 99% voiceprint match ⇒ low fraud, high insult– 30% voiceprint match ⇒ high fraud, low insult
• Equal error rate: rate where fraud == insult– The best measure for comparing biometrics
Fingerprint History
• 1823 Professor Johannes Evangelist Purkinje discussed 9 fingerprint patterns
• 1856 Sir William Hershel used fingerprint (in India) on contracts
• 1880 Dr. Henry Faulds article in Nature about fingerprints for ID
• 1883 Mark Twain’s Life on the Mississippi a murderer ID’ed by fingerprint
Fingerprint History
• 1888 Sir Francis Galton (cousin of Darwin) developed classification system– His system of “minutia” is still in use today– Also verified that fingerprints do not change
• Some countries require a number of points (i.e., minutia) to match in criminal cases– In Britain, 15 points– In US, no fixed number of points required
Fingerprint Comparison
Loop (double) Whorl Arch
• Examples of loops, whorls and arches
• Minutia extracted from these features
Fingerprint Biometric
• Capture image of fingerprint• Enhance image• Identify minutia
Fingerprint Biometric
• Extracted minutia are compared with user’s minutia stored in a database
• Is it a statistical match?
Hand Geometry• Popular form of biometric• Measures shape of hand
● Width of hand, fingers● Length of fingers, etc.
• Human hands not unique• Hand geometry sufficient for
many situations• Suitable for authentication• Not useful for ID problem
Hand Geometry
• Advantages– Quick– 1 minute for enrollment– 5 seconds for recognition– Hands symmetric (use other hand backwards)
• Disadvantages– Cannot use on very young or very old– Relatively high equal error rate
Iris Patterns
• Iris pattern development is “chaotic”• Little or no genetic influence• Different even for identical twins• Pattern is stable through lifetime
Iris Recognition: History
• 1936 suggested by Frank Burch
• 1980s James Bond films
• 1986 first patent appeared
• 1994 John Daugman patented best current approach– Patent owned by Iridian Technologies
Iris Scan
• Scanner locates iris• Take b/w photo• Use polar coordinates…• Find 2-D wavelet trans• Get 256 byte iris code
Iris Scan Error Rate
distance
1 in 1.3∗1050.351 in 6.9∗1050.341 in 4.0∗1060.331 in 2.6∗1070.321 in 1.8∗1080.311 in 1.5∗1090.301 in 1.3∗10100.29
distance Fraud rate
: equal error rate
Attack on Iris Scan
• Good photo of eye can be scanned• And attacker can use photo of eye
• Afghan woman was authenticated by iris scan of old photo
● Story is here
• To prevent photo attack, scanner could use light to be sure it is a “live” iris
Equal Error Rate Comparison• Equal error rate (EER): fraud == insult rate• Fingerprint biometric has EER of about 5%• Hand geometry has EER of about 10-3
• In theory, iris scan has EER of about 10-6– But in practice, hard to achieve– Enrollment phase must be extremely accurate
• Most biometrics much worse than fingerprint!• Biometrics useful for authentication…• But ID biometrics are almost useless today
Biometrics: The Bottom Line• Biometrics are hard to forge• But attacker could
– Steal Alice’s thumb– Photocopy Bob’s fingerprint, eye, etc.– Subvert software, database, “trusted path”, …
• Also, how to revoke a “broken” biometric?• Biometrics are not foolproof!• Biometric use is limited today• That should change in the future…
Op de effectiviteit blijven letten
Zero Knowledge Proofs
Zero Knowledge Proof (ZKP)
Alice wants to prove that she knows a secret without revealing any info about it
Bob must verify that Alice knows secreto Even though he gains no info about the secret
Process is probabilistico Bob can verify that Alice knows the secret to an
arbitrarily high probability
An “interactive proof system”
Bob’s Cave
Alice claims to know secret phrase to open path between R and S (“open sarsparilla”)
Can she convince Bob that she knows the secret without revealing phrase?
P
Q
R S
Bob: “Alice come out on S side”
Alice (quietly): “Open sarsparilla”
If Alice does not know secret…
If Bob repeats this n times, then Alice (who does not know secret) can only fool Bob with probability 1/2n
…then Alice could come out from the correct side with probability 1/2
P
Q
R S
Bob’s Cave
Rainbow tables
Kerberos
In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hadeso “Wouldn’t it make more sense to guard the exit?”
In security, Kerberos is an authentication system based on symmetric key cryptoo Originated at MIT
o Based on work by Needham and Schroeder
o Relies on a trusted third party (TTP)
Motivation for Kerberos
Authentication using public keyso N users ⇒ N key pairs
Authentication using symmetric keyso N users requires about N2 keys
Symmetric key case does not scale! Kerberos based on symmetric keys but only
requires N keys for N userso But must rely on TTP
o Advantage is that no PKI is required
Kerberos KDC Kerberos Key Distribution Center or KDC
o Acts as a TTP
o TTP must not be compromised!
o KDC shares symmetric key KA with Alice, key KB with Bob, key KC with Carol, etc.
o Master key KKDC known only to KDC
o KDC enables authentication and session keys
o Keys for confidentiality and integrity
o In practice, the crypto algorithm used is DES
Kerberos Tickets KDC issues a ticket containing info needed to
access a network resource KDC also issues ticket-granting tickets or TGTs that are used to obtain tickets
Each TGT containso Session key
o User’s ID
o Expiration time
Every TGT is encrypted with KKDC
o TGT can only be read by the KDC
Kerberized Login Alice enters her password Alice’s workstation
o Derives KA from Alice’s password
o Uses KA to get TGT for Alice from the KDC
Alice can then use her TGT (credentials) to securely access network resources
Plus: Security is transparent to Alice Minus: KDC must be secure it’s trusted!
Kerberized Login
Alice
Alice’s
Alice wants
password
a TGT
E(SA,TGT,KA)
KDC
Key KA derived from Alice’s password
KDC creates session key SA
Workstation decrypts SA, TGT, forgets KA
TGT = E(“Alice”,SA, KKDC)
Computer
Alice Requests Ticket to Bob
Alice
Talk to Bob
I want totalk to Bob
REQUEST
REPLY
KDC REQUEST = (TGT, authenticator) where
authenticator = E(timestamp,SA)
REPLY = E(“Bob”,KAB,ticket to Bob, SA) ticket to Bob = E(“Alice”,KAB,KB) KDC gets SA from TGT to verify timestamp
Computer
Alice Uses Ticket to Bob
ticket to Bob, authenticator
E(timestamp + 1,KAB)
ticket to Bob = E(“Alice”,KAB, KB) authenticator = E(timestamp, KAB) Bob decrypts “ticket to Bob” to get KAB which he
then uses to verify timestamp
Alice’s Computer
Bob
Kerberos
Session key SA used for authentication
Can also be used for confidentiality/integrity Timestamps used for mutual authentication Recall that timestamps reduce number of
messageso Acts like a nonce that is known to both sides
o Note: time is a security-critical parameter!
Kerberos Questions
When Alice logs in, KDC sends E(SA,TGT,KA)
where TGT = E(“Alice”,SA,KKDC)
Q: Why is TGT encrypted with KA?
A: Extra work and no added security!
In Alice’s Kerberized login to Bob, why can Alice remain anonymous?
Why is “ticket to Bob” sent to Alice? Where is replay prevention in Kerberos?
Kerberos Alternatives
Could have Alice’s workstation remember password and use that for authenticationo Then no KDC required
o But hard to protect password on workstation
o Scaling problem
Could have KDC remember session key instead of putting it in a TGTo Then no need for TGTs
o But stateless KDC is big feature of Kerberos
Kerberos Keys In Kerberos, KA = h(Alice’s password)
Could instead generate random KA and
o Compute Kh = h(Alice’s password)
o And workstation stores E(KA, Kh)
Then KA need not change (on workstation or KDC) when Alice changes her password
But E(KA, Kh) subject to password guessing
This alternative approach is often used in applications (but not in Kerberos)
See MAMS presentation
Rainbow tables
Rainbow tables
GSM Security
Cell Phones
First generation cell phoneso Analog, few standards
o Little or no security
o Susceptible to cloning
Second generation cell phones: GSMo Began in 1982 as Groupe Speciale Mobile
o Now, Global System for Mobile Communications
Third generation?o 3rd Generation Partnership Project (3GPP)
GSM System Overview
Mobile
HomeNetwork
“land line”
air interface
BaseStation
BaseStation
Controller
PSTNInternet
Etc.Visited Network
VLR
HLR
AuC
GSM System Components
Mobile phoneo Contains SIM (Subscriber Identity
Module)
SIM is the security moduleo IMSI (International Mobile
Subscriber ID)
o User key Ki (128 bits)
o Tamper resistant (smart card)
o PIN activated (usually not used)
SIM
GSM System Components Visited network network where mobile is
currently locatedo Base station one “cell”
o Base station controller manages many cells
o VLR (Visitor Location Register) info on all visiting mobiles currently in the network
Home network “home” of the mobile
o HLR (Home Location Register) keeps track of most recent location of mobile
o AuC (Authentication Center) contains IMSI/Ki
GSM Security Goals Primary design goals
o Make GSM as secure as ordinary telephone
o Prevent phone cloning
Not designed to resist an active attack!o At the time this seemed infeasible
o Today such an attack is very feasible…
Designers considered biggest threatso Insecure billing
o Corruption
o Other low-tech attacks
GSM Security Features Anonymity
o Intercepted traffic does not identify user
o Not so important to phone company
Authenticationo Necessary for proper billing
o Very important to phone company!
Confidentialityo Confidentiality of calls over the air interface
o Not important to phone company
o May be very important for marketing!
GSM: Anonymity IMSI used to initially identify caller Then TMSI (Temporary Mobile Subscriber ID)
used TMSI changed frequently TMSI’s encrypted when sent Not a strong form of anonymity But probably sufficient for most uses
GSM: Authentication Caller is authenticated to base station Authentication is not mutual Authentication via challenge-response
o Home network generates RAND and computes XRES = A3(RAND, Ki) where A3 is a hash
o Then (RAND,XRES) sent to base station
o Base station sends challenge RAND to mobile
o Mobile’s response is SRES = A3(RAND, Ki)o Base station verifies SRES = XRES
Note: Ki never leaves home network!
GSM: Confidentiality Data encrypted with stream cipher Error rate estimated at about 1/1000
o Error rate too high for a block cipher
Encryption key Kco Home network computes Kc = A8(RAND, Ki),
where A8 is a hash
o Then Kc sent to base station with (RAND,XRES)o Mobile computes Kc = A8(RAND, Ki)o Keystream generated from A5(Kc)
Note: Ki never leaves home network!
GSM Security
SRES and Kc must be uncorrelatedo Even though both are derived from RAND and Ki
Must not be possible to deduce Ki from known RAND/SRES pairs (known plaintext attack)
Must not be possible to deduce Ki from chosen RAND/SRES pairs (chosen plaintext attack)o With possession of SIM, attacker can choose RAND’s
Mobile Base Station
4. RAND
5. SRES
6. Encrypt with Kc
1. IMSI
HomeNetwork
3. (RAND,XRES,Kc)
2. IMSI
GSM Insecurity (1) Hash used for A3/A8 is COMP128
o Broken by 160,000 chosen plaintexts
o With SIM, can get Ki in 2 to 10 hours
Encryption between mobile and base station but no encryption from base station to base station controllero Often transmitted over microwave link
Encryption algorithm A5/1o Broken with 2 seconds of known plaintext
BaseStation
BaseStation
Controller
VLR
GSM Insecurity (2) Attacks on SIM card
o Optical Fault Induction can attack SIM with a flashbulb to recover Ki
o Partitioning Attacks using timing and power consumption, can recover Ki with only 8 adaptively chosen “plaintexts”
With possession of SIM, attacker can recover Ki in seconds
GSM Insecurity (3) Fake base station exploits two flaws
o Encryption not automatic
o Base station not authenticated
Mobile Base Station
RAND
SRES
Fake Base Station
Noencryption
Call todestination
Note: The bill goes to fake base station!
GSM Insecurity (4)
Denial of service is possibleo Jamming (always an issue in wireless)
Base station can replay triple (RAND,XRES,Kc)o One compromised triple gives attacker a
key Kc that is valid forever
o No replay protection!
GSM Conclusion Did GSM achieve its goals?
o Eliminate cloning? Yes
o Make air interface as secure as PSTN? Perhaps…
o But design goals were clearly too limited
GSM insecurities weak crypto, SIM issues, fake base station, replay, etc.
PSTN insecurities tapping, active attack, passive attack (e.g., cordless phones), etc.
GSM a (modest) security success?
3GPP: 3rd Generation Partnership Project
3G security built on GSM (in)security 3G fixes known GSM security problems
o Mutual authentication
o Integrity protect signaling (such as “start encryption” command)
o Keys (encryption/integrity) cannot be reused
o Triples cannot be replayed
o Strong encryption algorithm (KASUMI)o Encryption extended to base station controller