Authentication, Authorization,
and Accounting
Mike Scher
Director of Labs
Neohapsis, Inc
1
Or,
Who, What, How, When, and Where
Tech 102
2
Neohapsis 101 - Who we are
and what we do
• Information Security Consultancy with an
emphasis on R&D and QA/QC
• Network Computing Magazine's Chicago
Lab
• Producers of the SANS Security Alert
Consensus Newsletter (SAC)
3
101 Recap
• The Internet is “Packet-switched”
• To/From numeric “IP” Addresses go on all packets of
information
• Domain names help users remember systems and
networks, but map to IP addresses
• Packets travel through several “hops” of routers along the
way
• Many systems automatically log information about usage
(client and server may both retain logs or copies of data)
• Trap and trace can pick up IP addresses of users accessing
systems
4
“AAA”
• What is Authentication?
– How does it work?
– How can it fail?
• What is Accounting?
– How does it depend on Authentication?
– What is its utility?
• What is Authorization?
– How does it depend on Authentication?
– Where and how do authorization systems work?
5
Overview: Encryption
• What it is and what it isn’t
• General Kinds of Encryption
• How and Where Encryption is:
• Used
• Misused
• Abused
6
Encryption (cont.)
• Kinds of Crypto, generally
– Symmetric (e.g., shared secret key)
• The key used to encrypt (lock) is the same as the key used to
decrypt (unlock)
• DES, Triple-DES (3DES), AES, IDEA, Blowfish, Twofish
– Asymmetric (e.g., public key)
• A key different from the key used to encrypt (lock) is used to
decrypt (unlock)
• In public key cryptography, the key used to encrypt can be
published widely with no negative impact on the security
• Lockbox example
7
Encryption (cont.)
• Where is crypto used?
– Asymmetric
• “Secure” web pages (SSL) – public key is called a “certificate”
• PGP (“Pretty good privacy”) – widely used public key system
– Symmetric
• “Secure” web pages (SSL) – after the session is set up with the
public key, a secret key is exchanged and the session streams
using a symmetric algorithm
• PGP (“Pretty good privacy”) – widely used public key system
• To “one-way encrypt” (hash) passwords in a password file
• Most file and disk encryption programs
8
Encryption (cont.)
• Asymmetric Encryption with Public Key
Cryptography
– A uses B’s PUBLIC key to send to B
– B uses B’s PRIVATE key to read it
– B uses A’s PUBLIC key to respond
9
Encryption (cont.)
• Where is crypto misused?
– Weak crypto used to “protect” sensitive
communications
– Poorly implemented cryptography
• Keys stored where they can be retrieved, stolen,
snooped
• Strong cryptography in a shoddy application
• Strong cryptographic algorithm with poorly
generated key
10
Encryption (cont.)
• Where is crypto abused?
– Marketing!
• “Proprietary” encryption algorithms
– Even if they are “patented” and “unbreakable,” too
– No public review = low chance of real security
• One-time Pads
– True that, properly done, they are extremely strong
– Manageability and limited utility makes them almost useless for
real-world applications outside espionage arenas
– “Throwaway” crypto
• Mere obfuscation passed off as encryption
• Clever people reinventing the wheel… and the problems
11
Authentication
• User identification
– Who do you claim to be?
– Note the use of the term claim
– Examples:
•
•
•
•
a userid:
a name:
a SS#:
An e-mail address:
“jsmither”
“Joshua Smither”
111-11-1111
jsmither@example.com
– Not always unique, even on the system
12
Authentication (cont.)
• User identification + Something else =
– Reasonable association of the person with the
ID presented
– Why “reasonable”?
•
•
•
•
All access controls can be defeated
Many can be “spoofed”
Reasonability depends (ideally) on a risk analysis
What does the ID guard?
13
Authentication (cont.)
• PLUS Something else (How can I reasonably
assume you are who you claim to be?)
–
–
–
–
–
–
–
Password
Digital Certificate
“One-time” password (e.g., tokens)
Biometric
ANI
Physical locality (including IP address)
Combination of above
14
Passwords
• Passwords:
– Can be “weak” or “strong” (vs. guessing or “cracking”)
• Weak:
• Strong:
mouser1 (guessable)
r!verb3d (crackable)
9i63vDvKHp41b
– Problem with passwords:
• When they are memorable, they are weak
• When they are strong, they are unmanageable
• People almost always either pick weak passwords or they
record their passwords someplace handy (perhaps protected by
a single password)
15
Digital Certificates
• Digital Certificate
– Based on the huge, unpredictable product of
two very large, prime numbers
– Public/Private Key encryption
• A uses B’s PUBLIC key to send to B
• B uses B’s PRIVATE key to read it
• B uses A’s PUBLIC key to respond
16
Digital Certificates (cont.)
-----BEGIN CERTIFICATE----MIIDxDCCAy2gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCVVMx
ETAP5thsbAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMRIwEAYDVQQKEwlO
ZW9oYXBzaXMxFzAVBgNVBAsTDk5lb2hhcHNpcyBMYWJzMRkwFwYDVQQDExBjYS5u
ZW9oYXBzaXMuY29tMScwJQYJKoZIhvcNAQkBFhhob3N0bWFzdGVyQG5lb2hhcHNp
cy5jb20wHhcNMDExMTE2MDA0MTA0W7hdtyExMTE0MDA0MTA0WjCBozELMAkGA1UE
BhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMRIwEAYD
VQQKEwlOZW9oYXBzaXMxFzpol91VBAsTDk5lb2hhcHNpcyBMYWJzMRkwFwYDVQQD
ExBjYS5uZW9oYXBzaXMuY29tMScwJQYJKoZIhvcNAQkBFhhob3N0bWFzdGVyQG5l
b2hhcHNpcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANn6Cz0ypg/m
dAjEqiGA2A/e++ffpuk69akqCIdfkjC6YtG/DKIgR8M7pjPldUPWaJxPZbnjTprx
OJylGLGl8n7RpqCi3ZM7MCi5VJ66B/ImxCAXhLnE0FJV/i3ONlwEQq5/voYwvv4z
JL0+H2IMMvC1iltw8shH1ZqhUSXyIlIhAgMBAAGjggEEMIIBADAdBgNVHQ4EFgQU
r9QFcUHlpDEMt8/8MmAjtu+/Z8cwgdAGA1UdIwSByDCBxYAUr9QFcUHlpDEMt8/8
Mm8jtu+/Z8ehgamkgaYwgaMxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9p
czEQMA4GA1UEBxMHQ2hpY2FnbzESMBAGA1UEChMJTmVvaGFwc2lzMRcwFQYDVQQL
Ew5OZW9oYXBzaXMgTGFiczEZMBcGA1UEAxMQY2EubmVvaGFwc2lzLmNvbTEnMCUG
CSqGSIb3DQ87bd3YaG9zdGwta52lckBupl81wXBzaXMuY29tggEAMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdQ+FklXZfla9kehgwJmiIqGfwVOzVDdP
3IKIuRjGIOO3vYY0oKUWVWDF943MPqugCjx7pIcqezmkRxOIn+pjC3EnOC4H7HNo
JAX9avjxH9Wj39M+7y0OS8b471mIxBi3E5BVaMDCHmLbM3+4XQDd8rZZHGn/RWBM
UOYJ8wNhMPs=
-----END CERTIFICATE-----
17
Tokens and Smart Cards
• Tokens (“One-Time Passwords”)
– Brands:
•
•
•
•
SecurID
Axent (Symantec) Defender
SecureComputing Safeword
Cryptocard
• Smartcards
– “Memory” Smart Cards strore
information (such as a Digital
Certificate)
– ‘True” Smart Cards do the math
internally
18
Biometrics
• Familiar territory in
forensics work
• The goal is, ultimately, to
do what we do in “real
life” – to recognize the
person
• Convergence (accuracy of
readers) remains a critical
issue with fairly high false
negatives and some
disturbing false positive
numbers in recent testing
19
Locality
• Door-mounted card readers, hand-print
readers, keypads, etc.
• Car door PIN locks
• Keys in locks
• ANI (“Automatic Number Identification”)
• Secure terminals in secure locations
• IP addresses (in some cases)
20
Logs (audit trails) and
Authentication
• System logs of “who was on what system
when” depend on Authentication credentials
of the user
• Authentication credentials are often
combined for greater assurance
– password + biometric + locality
– token(one-time password) + password +
locality
21
Intrusion Detection Systems
• Misuse detection vs. Anomaly detection
• Host based (HIDS) vs. Network based (NIDS)
– HIDS: Active Audit trail monitoring
– NIDS: Snooping network traffic for signs of malfeasance
• Almost all report to a central collection, correlation and
alert-generating server
• Useful as an early-warning system and for trending trouble
areas
• Useful for some types of after-the-fact damage analysis
22
Problems in Authentication as
evidence
• Username/Password
– Easily stolen when sent “in clear”
– Or via “trojan horse” programs, worms, viruses
– Often guessable
• IP address
– Spoofable for some kinds of connections
– Doesn’t establish that the user initiated the
action
23
Problems in Authentication as
evidence (cont.)
• Digital Certificates
– Large password protected by a small password
– File can be taken just like any other
– User’s password to activate the certificate may be
• Guessed
• Cracked
• Snooped
– More like a “rubberstamp” signature in a locked drawer
• But owner may have no indication of its theft
• Rebuttable presumption of identity unlikely to ever be rebutted
24
Problems in Authentication as
evidence (cont.)
• Biometrics
– Biometrics are static, and easily copied once known
– Never-ending escalation of spoofing tricks against the
reader, never-ending need to upgrade readers
– Remote biometric authentication raises issues
• Credentials injected into the stream
• Biometric readers use a variety of cryptographic methods to
ensure data integrity and reader legitimacy
• At that point, biometrics are a fixed password in a public-key
authentication system
25
Authentication as Evidence
• Combining unintended authenticators with
intentional authenticators increases
evidentiary value:
• Example: DNR + time of day + IP +
username and password + files found on
user’s system
26
Problems in Authentication as
evidence (cont.)
• DNR + IP + time of day + username and
password + files found on user’s system
– Was it the user?
– Or was it a worm?
– Or was it an electronic intruder using the
person’s computer?
• Other, circumstantial evidence may defeat
such assertions
27
Authorization
• Once we know (reasonably) who it is, we
need to decide what they can access, and
how.
–
–
–
–
–
Servers
Networks
Applications
Files (data)
Actions
28
Authorization Systems
• Access Control Lists (ACLs)
–
–
–
–
On Firewalls
On Gateways and Routers
On Servers
On Workstations
29
Firewalls
• Help provide an initial layer of defense at
boundaries
• Provide network accounting mechanisms
• Can be used as a broad access control
device
• Some firewalls can do ACL and patternbased content and many perform virus
filtering
30
Firewalls (cont.)
31
Firewalls (cont.)
•
•
•
•
•
All firewalls are not created equal
There is no “best” firewall
Don’t solve host/server-level problems
Often provide a false sense of security
Have a history of their own security
problems
32
The Big, Bad Internet
CSPM
Router
DMZ
HUB
Cat6006 w/IDS
Sniffer
WEB
SonicWall HA
NIDS blade
SQL Database Server
VPN
Syslog
Wirless Accss Point
Corporate Internal Network
Internal Users
Wireless User/Attacker
33
Gateways and Routers
• Whose traffic goes where… and how?
• Gateways include
– Firewalls
– Routers
• Acting as traffic cops
• Control direction, speed
• Can help control IP “spoofing”
– Virtual Private Network (VPN) gateways
34
VPNs
• VPN:
– Simulate a point-to-point, dedicated telco line
as closely as reasonably possible
• Identify user or remote network (authentication)
• Limit access (authorization)
• Log accesses and violations (accounting)
35
36
37
VPNs (cont.)
• Inherently serve one real purpose:
– Make doing a very risky thing as safe as
reasonably possible
• Then why do we use them?
– Costs
– Also, costs
– Oh, and costs, too.
38
VPNs (cont.)
(Not to mention, costs.)
• The Big Myths about VPNs:
–
–
–
–
inherently add security
authenticate end-users
ensure authorized use
always less expensive than dedicated telco
connectivity
39
VPNs (cont.)
• Risks (especially in connecting a home user to the
enterprise network) are significant
– Privacy of the connection and authentication traffic
– Theft/compromise of authentication credentials
– End user’s system used as live gateway to private
network after the user authenticates
– End user fooled into authenticating to trojan gateway
– Store-and-forward (time-delayed) attacks from
compromised end-user system
40
The Upshot
• Defense in depth is becoming the new best practice in most industries
–
–
–
–
–
Use firewalls at least at corporate borders
Use IDS internally and at borders
Secure servers and put IT policies in place to maintain their security
Use strong authentication devices for all remote access
Use VPNs with strong authentication and limit remote users’ capabilities
• Never assume a product is so secure that it is all you need for security
– even a firewall
• IT staff need to get and stay up to date, reviewing new issues almost on
a daily basis
• Manage IT risks as a part of conducting business
41
Questions
?
42
URLs
• Us: http://www.neohapsis.com
• Many security mailing list archives:
http://archives.neohapsis.com
• Security Alert Consensus (SAC):
http://www.sans.org/sansnews
• Mike: mscher@neohapsis.com
43