Jaap van Ginkel - os3.nl · PDF fileStory is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades

Security of Systems and Networks

November 19 Lecture 7 Authentication & Kerberos

Jaap van Ginkel

Authentication

SNE SSN

The problem illustrated

Thanks to Ton Verschuren

Terminology

• Identification: (“who are you?“)

• Authentication: (“prove it!”) (AUTHN)

• Authorization: (“these you can do”) (AUTHZ)

• Different levels of authentication:– Weak (something you know)– Strong (something you have and

something you know)– Biometrics (something you are)

Examples

• Something you Know– password– Address/birthday combination– Pin code

• Something you Have– Key– Bank card– Drivers license– Letter

• Something you Are– Finger print– DNA profile– Iris print

User name Password

• Weak authentication

• User Friendly– Works everywhere

• Very common• Alternatives difficult

• Extended Life span– Awareness– Safe implementation

Common passwords

• 123456 1375

• Ficken 404

• 12345367

• Hallo362

• 123456789 260

• Schatz253

• 12345678215

Chocolate passwords 2004 Research Liverpool Street Station

o 70% gave up password for chocolate http://news.bbc.co.uk/2/hi/technology/3639679.stm

Alternatives

Passfaces

• Click here if you are doing the Passfaces demo for the first time

Passclicks

http://labs.mininova.org/passclicks/

But where do people click

Certificate based• Public Key Infrastructure• X.509 certificates

• Open standard• Can be used in strong Authentication• Complex for end user• High cost• Used for server side authentication• Wide support

Smart cards

• Not many successful implementations– Card reader

– Logistics

– Expensive

• Standardisation poor

USB Tokens

• Smartcard with reader

SecureID

• One time pad

• Pin code

• Easy to integrate

• Clock sync

One Time Pads

• Maurits van der Schee

WEBISO

• Web Initial Signon

• Framework en architectuur

• Brede steun

Athens

• British• 1996

• Aimed at libraries• Health sector • Very successful

– Millions of users

• Migrated to Shibboleth SAML 2.0

PAPI

• Spaans initiatief• In productie

• Bewezen inter organistie

• Redelijke steun • Naar SAML

Pubcookie

• University Washington

• Lijkt sterk op A-select• Brede steun

A-select

• Dutch Initiative• SURFnet

• No open source• Many platform2• Harde authenticatie

met Niegefoon en Niegebach

• DiGID

Shibboleth

• Sheveningen• Lollapalooza

•

• Internet 2 middle ware initiative• Good architecture• Focus on privacy

Shibboleth

What is Shibboleth?

• Internet2/MACE project (open source)

• “inter institutional” authorization for web resources

• Authorization with privacy

• User data remains local

• More control to user and home organization

• More control for publishers

Crossing the Jordan

• Pronounciation password

• War between Ephraimites and Gileadites

• Bible: Judges 12:1-15

• 42.000 were killed

Oud en Nieuw

• Zo zeiden zij tot hem: Zeg nu Schibboleth; maar hij zeide: Sibbolet, en kon het alzo niet recht spreken; zo grepen zij hem, en versloegen hem aan de veren van de Jordaan, dat te dier tijd van Efraim vielen twee en veertig duizend.

• …………

Onder Embargo tot 17:00 uur

……….

Shibboleth terminologie

Onderdelen:

1. Shibboleth Indexical Reference Establisher (SHIRE).2. Handle Service (HS)3. Where Are You From (WAYF)4. Authentication System (AS)5. Shibboleth Attribute Requestor (SHAR) 6. Resource Manager (RM)

1. Security Assertion Markup Language (SAML) 2. Attribute Release Policies (ARP).3. Attribute Acceptance Policies (AAP)

Shibboleth Architectuur

Shibboleth Toegang tot Science Direct

Scien

ce Direct

WAYF

UvA Elsevier1

SHIRE

Ik ken je niet van welke organisatie

ben jij eigenlijk3

2

Vertel me waar je vandaan komt

HS

5

6

Ik ken je niet, kun je je

eerst authenticeren

7

User DB

Credentials

OK, Nu ken ik je.Ik stuur je verzoek

door met een handle

4

OK, Ik stuur het verzoek naar de Handle Service

van jouw organisatie.

SHAR

Handle

Handle8

Ik ken de attributen van deze gebruiker niet en vraag ze op

Handle9AA

OK, ik geef de attributen door waar de gebruiker toestemming voor geeft

Attributes 10

Reso

urc e

Man

age r

Attributes

OK, Op basis van deze attributen

geef ik toegang

Demo

• Thanks to switch AAI• Resource is

– kohala.switch.ch

• WAYF is – wayf1.switch.ch

• Identity Provider is– maunakea.switch.ch

• http://www.switch.ch/aai/demo/demo_live.html

A-Select

• Integratie met Shibboleth– Nog geen productie

• Replacement PubCookie

• Many authenticatie methods

TIQR

TIQR

Dutch initiative SURFnet OAUTH

o Initiative for Open Authentication

OCRA o OATH Challenge-Response Algorithm

OpenID provider (OP) OpenID relying party (RP) Microsoft Google Facebook Paypal

Biometrics

Sheets van de uitgever

Something You Are• Biometric

– “You are your key” Schneier

Are

Know Have

• Examples● Fingerprint● Handwritten signature● Facial recognition● Speech recognition● Gait (walking) recognition● “Digital doggie” (odor recognition)● Many more!

Why Biometrics?• Biometrics seen as desirable replacement for

passwords• Cheap and reliable biometrics needed• Today, a very active area of research• Biometrics are used in security today

– Thumbprint mouse– Palm print for secure entry– Fingerprint to unlock car door, etc.

• But biometrics not too popular– Has not lived up to its promise (yet?)

Ideal Biometric• Universal applies to (almost) everyone

– In reality, no biometric applies to everyone• Distinguishing distinguish with certainty

– In reality, cannot hope for 100% certainty• Permanent physical characteristic being

measured never changes– In reality, want it to remain valid for a long time

• Collectable easy to collect required data – Depends on whether subjects are cooperative

• Safe, easy to use, etc., etc.

Biometric Modes

• Identification Who goes there?– Compare one to many– Example: The FBI fingerprint database

• Authentication Is that really you?– Compare one to one– Example: Thumbprint mouse

• Identification problem more difficult– More “random” matches since more comparisons

• We are interested in authentication

Enrollment vs Recognition• Enrollment phase

– Subject’s biometric info put into database– Must carefully measure the required info– OK if slow and repeated measurement needed– Must be very precise for good recognition– A weak point of many biometric schemes

• Recognition phase– Biometric detection when used in practice– Must be quick and simple– But must be reasonably accurate

Cooperative Subjects• We are assuming cooperative subjects• In identification problem often have

uncooperative subjects• For example, facial recognition

– Proposed for use in Las Vegas casinos to detect known cheaters

– Also as way to detect terrorists in airports, etc.– Probably do not have ideal enrollment conditions– Subject will try to confuse recognition phase

• Cooperative subject makes it much easier!– In authentication, subjects are cooperative

Biometric Errors• Fraud rate versus insult rate

– Fraud user A mis-authenticated as user B– Insult user A not authenticate as user A

• For any biometric, can decrease fraud or insult, but other will increase

• For example– 99% voiceprint match ⇒ low fraud, high insult– 30% voiceprint match ⇒ high fraud, low insult

• Equal error rate: rate where fraud == insult– The best measure for comparing biometrics

Fingerprint History

• 1823 Professor Johannes Evangelist Purkinje discussed 9 fingerprint patterns

• 1856 Sir William Hershel used fingerprint (in India) on contracts

• 1880 Dr. Henry Faulds article in Nature about fingerprints for ID

• 1883 Mark Twain’s Life on the Mississippi a murderer ID’ed by fingerprint

Fingerprint History

• 1888 Sir Francis Galton (cousin of Darwin) developed classification system– His system of “minutia” is still in use today– Also verified that fingerprints do not change

• Some countries require a number of points (i.e., minutia) to match in criminal cases– In Britain, 15 points– In US, no fixed number of points required

Fingerprint Comparison

Loop (double) Whorl Arch

• Examples of loops, whorls and arches

• Minutia extracted from these features

Fingerprint Biometric

• Capture image of fingerprint• Enhance image• Identify minutia

Fingerprint Biometric

• Extracted minutia are compared with user’s minutia stored in a database

• Is it a statistical match?

Hand Geometry• Popular form of biometric• Measures shape of hand

● Width of hand, fingers● Length of fingers, etc.

• Human hands not unique• Hand geometry sufficient for

many situations• Suitable for authentication• Not useful for ID problem

Hand Geometry

• Advantages– Quick– 1 minute for enrollment– 5 seconds for recognition– Hands symmetric (use other hand backwards)

• Disadvantages– Cannot use on very young or very old– Relatively high equal error rate

Iris Patterns

• Iris pattern development is “chaotic”• Little or no genetic influence• Different even for identical twins• Pattern is stable through lifetime

Iris Recognition: History

• 1936 suggested by Frank Burch

• 1980s James Bond films

• 1986 first patent appeared

• 1994 John Daugman patented best current approach– Patent owned by Iridian Technologies

Iris Scan

• Scanner locates iris• Take b/w photo• Use polar coordinates…• Find 2-D wavelet trans• Get 256 byte iris code

Iris Scan Error Rate

distance

1 in 1.3∗1050.351 in 6.9∗1050.341 in 4.0∗1060.331 in 2.6∗1070.321 in 1.8∗1080.311 in 1.5∗1090.301 in 1.3∗10100.29

distance Fraud rate

: equal error rate

Attack on Iris Scan

• Good photo of eye can be scanned• And attacker can use photo of eye

• Afghan woman was authenticated by iris scan of old photo

● Story is here

• To prevent photo attack, scanner could use light to be sure it is a “live” iris

Equal Error Rate Comparison• Equal error rate (EER): fraud == insult rate• Fingerprint biometric has EER of about 5%• Hand geometry has EER of about 10-3

• In theory, iris scan has EER of about 10-6– But in practice, hard to achieve– Enrollment phase must be extremely accurate

• Most biometrics much worse than fingerprint!• Biometrics useful for authentication…• But ID biometrics are almost useless today

Biometrics: The Bottom Line• Biometrics are hard to forge• But attacker could

– Steal Alice’s thumb– Photocopy Bob’s fingerprint, eye, etc.– Subvert software, database, “trusted path”, …

• Also, how to revoke a “broken” biometric?• Biometrics are not foolproof!• Biometric use is limited today• That should change in the future…

Op de effectiviteit blijven letten

Zero Knowledge Proofs

Zero Knowledge Proof (ZKP)

Alice wants to prove that she knows a secret without revealing any info about it

Bob must verify that Alice knows secreto Even though he gains no info about the secret

Process is probabilistico Bob can verify that Alice knows the secret to an

arbitrarily high probability

An “interactive proof system”

Bob’s Cave

Alice claims to know secret phrase to open path between R and S (“open sarsparilla”)

Can she convince Bob that she knows the secret without revealing phrase?

P

Q

R S

Bob: “Alice come out on S side”

Alice (quietly): “Open sarsparilla”

If Alice does not know secret…

If Bob repeats this n times, then Alice (who does not know secret) can only fool Bob with probability 1/2n

…then Alice could come out from the correct side with probability 1/2

P

Q

R S

Bob’s Cave

Rainbow tables

Kerberos

In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hadeso “Wouldn’t it make more sense to guard the exit?”

In security, Kerberos is an authentication system based on symmetric key cryptoo Originated at MIT

o Based on work by Needham and Schroeder

o Relies on a trusted third party (TTP)

Motivation for Kerberos

Authentication using public keyso N users ⇒ N key pairs

Authentication using symmetric keyso N users requires about N2 keys

Symmetric key case does not scale! Kerberos based on symmetric keys but only

requires N keys for N userso But must rely on TTP

o Advantage is that no PKI is required

Kerberos KDC Kerberos Key Distribution Center or KDC

o Acts as a TTP

o TTP must not be compromised!

o KDC shares symmetric key KA with Alice, key KB with Bob, key KC with Carol, etc.

o Master key KKDC known only to KDC

o KDC enables authentication and session keys

o Keys for confidentiality and integrity

o In practice, the crypto algorithm used is DES

Kerberos Tickets KDC issues a ticket containing info needed to

access a network resource KDC also issues ticket-granting tickets or TGTs that are used to obtain tickets

Each TGT containso Session key

o User’s ID

o Expiration time

Every TGT is encrypted with KKDC

o TGT can only be read by the KDC

Kerberized Login Alice enters her password Alice’s workstation

o Derives KA from Alice’s password

o Uses KA to get TGT for Alice from the KDC

Alice can then use her TGT (credentials) to securely access network resources

Plus: Security is transparent to Alice Minus: KDC must be secure it’s trusted!

Kerberized Login

Alice

Alice’s

Alice wants

password

a TGT

E(SA,TGT,KA)

KDC

Key KA derived from Alice’s password

KDC creates session key SA

Workstation decrypts SA, TGT, forgets KA

TGT = E(“Alice”,SA, KKDC)

Computer

Alice Requests Ticket to Bob

Alice

Talk to Bob

I want totalk to Bob

REQUEST

REPLY

KDC REQUEST = (TGT, authenticator) where

authenticator = E(timestamp,SA)

REPLY = E(“Bob”,KAB,ticket to Bob, SA) ticket to Bob = E(“Alice”,KAB,KB) KDC gets SA from TGT to verify timestamp

Computer

Alice Uses Ticket to Bob

ticket to Bob, authenticator

E(timestamp + 1,KAB)

ticket to Bob = E(“Alice”,KAB, KB) authenticator = E(timestamp, KAB) Bob decrypts “ticket to Bob” to get KAB which he

then uses to verify timestamp

Alice’s Computer

Bob

Kerberos

Session key SA used for authentication

Can also be used for confidentiality/integrity Timestamps used for mutual authentication Recall that timestamps reduce number of

messageso Acts like a nonce that is known to both sides

o Note: time is a security-critical parameter!

Kerberos Questions

When Alice logs in, KDC sends E(SA,TGT,KA)

where TGT = E(“Alice”,SA,KKDC)

Q: Why is TGT encrypted with KA?

A: Extra work and no added security!

In Alice’s Kerberized login to Bob, why can Alice remain anonymous?

Why is “ticket to Bob” sent to Alice? Where is replay prevention in Kerberos?

Kerberos Alternatives

Could have Alice’s workstation remember password and use that for authenticationo Then no KDC required

o But hard to protect password on workstation

o Scaling problem

Could have KDC remember session key instead of putting it in a TGTo Then no need for TGTs

o But stateless KDC is big feature of Kerberos

Kerberos Keys In Kerberos, KA = h(Alice’s password)

Could instead generate random KA and

o Compute Kh = h(Alice’s password)

o And workstation stores E(KA, Kh)

Then KA need not change (on workstation or KDC) when Alice changes her password

But E(KA, Kh) subject to password guessing

This alternative approach is often used in applications (but not in Kerberos)

See MAMS presentation

Rainbow tables

Rainbow tables

GSM Security

Cell Phones

First generation cell phoneso Analog, few standards

o Little or no security

o Susceptible to cloning

Second generation cell phones: GSMo Began in 1982 as Groupe Speciale Mobile

o Now, Global System for Mobile Communications

Third generation?o 3rd Generation Partnership Project (3GPP)

GSM System Overview

Mobile

HomeNetwork

“land line”

air interface

BaseStation

BaseStation

Controller

PSTNInternet

Etc.Visited Network

VLR

HLR

AuC

GSM System Components

Mobile phoneo Contains SIM (Subscriber Identity

Module)

SIM is the security moduleo IMSI (International Mobile

Subscriber ID)

o User key Ki (128 bits)

o Tamper resistant (smart card)

o PIN activated (usually not used)

SIM

GSM System Components Visited network network where mobile is

currently locatedo Base station one “cell”

o Base station controller manages many cells

o VLR (Visitor Location Register) info on all visiting mobiles currently in the network

Home network “home” of the mobile

o HLR (Home Location Register) keeps track of most recent location of mobile

o AuC (Authentication Center) contains IMSI/Ki

GSM Security Goals Primary design goals

o Make GSM as secure as ordinary telephone

o Prevent phone cloning

Not designed to resist an active attack!o At the time this seemed infeasible

o Today such an attack is very feasible…

Designers considered biggest threatso Insecure billing

o Corruption

o Other low-tech attacks

GSM Security Features Anonymity

o Intercepted traffic does not identify user

o Not so important to phone company

Authenticationo Necessary for proper billing

o Very important to phone company!

Confidentialityo Confidentiality of calls over the air interface

o Not important to phone company

o May be very important for marketing!

GSM: Anonymity IMSI used to initially identify caller Then TMSI (Temporary Mobile Subscriber ID)

used TMSI changed frequently TMSI’s encrypted when sent Not a strong form of anonymity But probably sufficient for most uses

GSM: Authentication Caller is authenticated to base station Authentication is not mutual Authentication via challenge-response

o Home network generates RAND and computes XRES = A3(RAND, Ki) where A3 is a hash

o Then (RAND,XRES) sent to base station

o Base station sends challenge RAND to mobile

o Mobile’s response is SRES = A3(RAND, Ki)o Base station verifies SRES = XRES

Note: Ki never leaves home network!

GSM: Confidentiality Data encrypted with stream cipher Error rate estimated at about 1/1000

o Error rate too high for a block cipher

Encryption key Kco Home network computes Kc = A8(RAND, Ki),

where A8 is a hash

o Then Kc sent to base station with (RAND,XRES)o Mobile computes Kc = A8(RAND, Ki)o Keystream generated from A5(Kc)

Note: Ki never leaves home network!

GSM Security

SRES and Kc must be uncorrelatedo Even though both are derived from RAND and Ki

Must not be possible to deduce Ki from known RAND/SRES pairs (known plaintext attack)

Must not be possible to deduce Ki from chosen RAND/SRES pairs (chosen plaintext attack)o With possession of SIM, attacker can choose RAND’s

Mobile Base Station

4. RAND

5. SRES

6. Encrypt with Kc

1. IMSI

HomeNetwork

3. (RAND,XRES,Kc)

2. IMSI

GSM Insecurity (1) Hash used for A3/A8 is COMP128

o Broken by 160,000 chosen plaintexts

o With SIM, can get Ki in 2 to 10 hours

Encryption between mobile and base station but no encryption from base station to base station controllero Often transmitted over microwave link

Encryption algorithm A5/1o Broken with 2 seconds of known plaintext

BaseStation

BaseStation

Controller

VLR

GSM Insecurity (2) Attacks on SIM card

o Optical Fault Induction can attack SIM with a flashbulb to recover Ki

o Partitioning Attacks using timing and power consumption, can recover Ki with only 8 adaptively chosen “plaintexts”

With possession of SIM, attacker can recover Ki in seconds

GSM Insecurity (3) Fake base station exploits two flaws

o Encryption not automatic

o Base station not authenticated

Mobile Base Station

RAND

SRES

Fake Base Station

Noencryption

Call todestination

Note: The bill goes to fake base station!

GSM Insecurity (4)

Denial of service is possibleo Jamming (always an issue in wireless)

Base station can replay triple (RAND,XRES,Kc)o One compromised triple gives attacker a

key Kc that is valid forever

o No replay protection!

GSM Conclusion Did GSM achieve its goals?

o Eliminate cloning? Yes

o Make air interface as secure as PSTN? Perhaps…

o But design goals were clearly too limited

GSM insecurities weak crypto, SIM issues, fake base station, replay, etc.

PSTN insecurities tapping, active attack, passive attack (e.g., cordless phones), etc.

GSM a (modest) security success?

3GPP: 3rd Generation Partnership Project

3G security built on GSM (in)security 3G fixes known GSM security problems

o Mutual authentication

o Integrity protect signaling (such as “start encryption” command)

o Keys (encryption/integrity) cannot be reused

o Triples cannot be replayed

o Strong encryption algorithm (KASUMI)o Encryption extended to base station controller