Cryptography and Network Security - 1
advertisement
Cryptography and Security Services:
Mechanisms and Applications
Chapter 7
Access Authentication
Manuel Mogollon
m_mogollon@verizon.net
M. Mogollon 0
Session 5 – Contents
• Authentication Concepts
• IEEE 802.1X Authentication
• Extensible Authentication Protocol (EAP)
• EAP Password Mechanisms
• Other Password Mechanisms
• Password Security Considerations
• EAP Authentication Servers
• Remote Authentication Dial-in User Service (RADIUS)
• The Needham-Schroeder Protocol, Kerberos V5.1
• ITU-T X.509
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 1
Security Concerns
• Browsing
— The attacker tries to get access to a database to get information.
• Spoofing
— The attacker pretends to be a user with certain privileges.
• Session Hijacking
— The attacker tries to take over an existing connection between two
computers.
• Electronic Eavesdropping or Sniffing
— The attacker records all the traffic going through the network interface card
(NIC) or on a server node.
•
Exhaustive Attacks
— The attacker tries to identify secret information by testing all possibilities.
Also called Brute Force Attack.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 2
What is Authentication?
authentication / n. (1) The act of identifying or verifying the entity
that originated the message or the corroboration (proof) of the
sender's identity, i.e. that he is who he claims to be. Written
messages are authenticated with a handwritten signature so the
receiver of the message is able to validate the message. (2) access.
The act of identifying or verifying the eligibility of a station,
originator or individual to access specific categories of
information.
Longley, D., & Shain, M. (1989). Data & Computer Security Dictionary of Standards Concepts
and Terms (p26). Boca Raton, FL:CRC Press, Inc.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 3
Access Authentication
Dial-up User
Authentication
PSTN
Device
Authentication
NAS
VoIP
Home office
Internet,
IPWAN
Router
Authentication
Server
Router
User
Authentication
Firewall
Router
Wireless
Access
Authentication
IEEE 802.1X
EAP Methods
Intranet
Access Authentication
• Dial-up User Authentication
• Wireline User Authentication.
• Wireless User Authentication
• Device Authentication.
Passwords
Radius
Kerberos
X.509
M. Mogollon 4
Access Authentication
The prevention of the
unauthorized use of a
resource.
Access
Authentication
Protocol
EAP Method
IEEE
802.1X
EAP-TLS
EAP-SIM
CHAP
OTP
EAP-TTLS
EAP-AKA
GTC
MS-CHAP
v2
EAP-PEAP
EAP-PSK
Digital
Certificates
IEEE 802.1X: Port-based Access Control Protocol
EAP: Extensible Authentication Protocol
TLS: Transport Layer Security
TTLS: Tunneled Transport Layer Security
IEEE 802.1X
EAP Methods
Mechanism
PEAP: Protected EAP
CHAP: Challenge-Handshake Authentication Protocol
OTP: One-Time Password
GTC: Generic Token Card
Passwords
Radius
Kerberos
X.509
M. Mogollon 5
Authentication Factors
• What the user knows
— Something secret only the user knows
– A memorized personal identification number (PIN) or password
• What the user has
— Something unique the user possesses
– SecureID card (token generating a one-time password)
– A smartcard that can perform cryptographic operations on behalf
of a user).
– Digital certificate
• What the user is
— Something unique to the user
— Biometrics (Fingerprints, voiceprint)
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 6
Access Authentication vs. Authorization
• Access Authentication
— Defines whether Access-Accept or Access-Reject is returned by the
authenticator server.
• Authorization
— Defines user’s environment once access is granted.
— Controls or restricts what user is allowed to do on a network access
server (NAS) or network.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 7
IEEE 802.1X Authentication
• The IEEE 802.1X-2004 is a data link layer transport
protocol that defines wireless and physical networks
port-access control standards.
— Port access refers to “user port” access controlled by a wireless
access point or wired switch. Users do not get IP-connectivity until
they have successfully authenticated.
• IEEE802.1X deployment requires the installation of three
components:
— Supplicant authentication software and hardware.
— Authenticator – 802.1X EAP compatible.
— Authentication Server. In IEEE 802.11, the Access Point acts as an
authenticator, while a wireless station (e.g., a laptop) is the
supplicant. A Port Access Entity (PAE) is an entity that is able to
control the authorized/unauthorized state of its controlled port.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 8
802.1X Port-based Access Control Protocol
Authentication
Server System
Authentication System
Services
offered by the
authenticator
system
Controlled
Port
Authenticator
Port Access Entity
Port
Unauthorized
Authentication
Server
Uncontrolled
Port
Authentication
Protocol
Exchanges
AuthControlledPortStatus
MAC
Enable/Disable
LAN
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 9
EAP Stack
Auth.
Layer
Connection and Login Process
Protection Layer
TLS
PEAP
TTLS
Method
Layer
Extensible Authentication Protocol (EAP)
EAP
Layer
EAP over LAN (EAPOL)
PPP
IEEE 802.1X
EAP Methods
802.3
802.5
Ethernet
Token Ring
Passwords
Radius
802.11
Media
Layer
Wireless LAN
Kerberos
X.509
M. Mogollon 10
Extensible Authentication Protocol
•
Originally created for use with PPP, it has since been adopted for use with IEEE
802.1X -2004 "Port-Based Network Access Control".
•
Supports authentication mechanisms such as smart cards, Kerberos, digital
certificates, one-time-passwords, and others.
—
Authentication mechanisms are implemented in a number of ways called EAP methods, e.g., EAPTLS, EAP-TTLS, EAP-PEAP, etc.
•
EAP is extensible because any authentication mechanism can be encapsulated
within EAP messages.
•
EAP allows the deployment of new protocols between the supplicant and the
authentication server.
— The encapsulation technique used to carry EAP packets between peer and authenticator in a LAN
environment is known as EAP over LANs, or EAPOL
•
Authentication Mechanisms
— MD5-Challenge: Analogous to the PPP CHAP protocol with MD5 as the specified algorithm, RFC
1994. The Request contains a "challenge" message to the peer.
— One-Time Password (OTP): Defined in "A One-Time Password System," RFC 1938. The Request
contains a displayable message containing an OTP challenge.
— Generic Token Card (GTC): Defined for use with various token card implementations which require
user input. The Request contains an ASCII text message and the Reply contains the token card
information necessary for authentication.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 11
EAP Authentication Process
Authentication
Server
Radius, Kerberos, PKI,
OTP, Token
Authenticator
EAP over
Ethernet
EAP Method
Password
Authentication
Database
The Authenticator
functions as an AAA
client to the
Authentication Server
Token
Authentication
Database
X.509 Directory
Kerberos
Ticket
Granting
Server
Supplicants
AAA – Authentication, Authorization and Accounting
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 12
EAP Certificate and Hybrid Methods
• Certificate Method
— EAP-TLS: The Extensible Authentication Protocol-Transport Layer
Security uses X.509 digital certificates for secure mutual
authentication client and server.
• EAP Hybrid Methods
— EAP-TTLS (Tunneled TLS): Based on asymmetric cryptography
reusing TLS mechanisms. In EAP-TTLS, the TLS handshake can be
mutual, or it can be one-way, in which only the server is
authenticated to the client.
— PEAP (Protected Extensible Authentication Protocol): Based on
asymmetric cryptography reusing TLS mechanisms. Provides an
encrypted and authenticated tunnel based on transport layer security
(TLS) that encapsulates EAP authentication mechanisms.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 13
Protected EAP
Cipher Suite
Cipher Suite
Services
offered by the
authenticator
system
LAN,
Wireless
Authenticator
(Dual Port)
Trust
Keys
EAP Methods,
EAP-TLS,
EAP-GTC,
MS-CHAPv2
Client
Authenticator with
Controlled Port Disabled.
EAP API
EAP Method
•
Authentication
Server
EAP API
EAP Method
First a TLS tunnel (
) is established, and then the tunnel is used
to run legacy authentication protocols in the inner tunnel (
).
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 14
EAP SIM-Based Methods
• EAP-AKA (Authentication and Key Agreement):
— Based on the 3rd generation Authentication and Key Agreement
mechanism (AKA) specified for Universal Mobile
Telecommunications System (UMTS) and for cdma2000.
— Based on challenge-response mechanisms and symmetric
cryptography. It uses shared secrets between the User and the
Authenticator together with a sequence number to perform the
Authentication.
• EAP-SIM (Subscriber Identity Module)
— Based on symmetric cryptography that reuses the GSM
authentication infrastructure.
— Useful for scenarios where SIMs are already deployed (e.g.,
authentication of GPRS clients on a WLAN connected to a 3GPP
network).
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 15
EAP Pre-Shared Key Methods
•
EAP-TLS-PSK: TLS Pre-Shared Key
— A possible future EAP method based on TLS that would support authentication based on preshared keys.
— TLS-PSK uses one of the following:
– 1. Symmetric key operations for authentication;
– 2. Diffie-Hellman exchange authenticated with a pre-shared key;
– 3. Combined public key authentication of the server with pre-shared key authentication of the
client.
•
EAP-IKEv2:
— Based on the symmetric and asymmetric cryptography of IKEv2, a protocol whose security has
received considerable expert review.
— Could be an excellent candidate to replace EAP-MD5.
•
EAP-PSK (Pre-Shared Key)
— Based on symmetric cryptography.
— Advantages:
– Simplicity: Easy to implement and to deploy without any pre-existing infrastructure.
– Wide applicability: Can be used to authenticate over any network, in particular for WLANs.
– Security: Based on AES.
– Extensibility: Can add extensions as needed.
– Patent-avoidance: No Intellectual Property Right claims.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 16
Password-Based EAP Methods
•
EAP-PAX
— Designed for device authentication using a shared key, a personal identification
number (PIN). Instead of using a symmetric key exchange, the client and server
perform a Diffie-Hellman key exchange, which provides forward secrecy.
— Supports the generation of strong key material; mutual authentication; resistance to
desynchronization, dictionary, and man-in-the-middle attacks; ciphersuite extensibility
with protected negotiation; identity protection; and the authenticated exchange of data,
useful for implementing channel binding. EAP-PAX is ideal for wireless environments
such as IEEE 802.11.
•
EAP-SPEKE (Simple Password Exponential Key Exchange)
— Based on symmetric cryptography and asymmetric key cryptography to provide
password-only authenticated key exchange.
— Useful only when authentication is based on user-provided password information.
— Unnecessarily complex for device authentication (e.g., it makes heavy use of public
key cryptography).
— Improved protocol supports mutual authentication and key exchange and it works on
the Elliptic Curve Cryptosystems (ECC) base, as well as the DH (Diffie-Hellman) base.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 17
Road to Authentication
Step 1
(Note 1)
Step 2
EAP Method
Step 3
Authentication
Mechanism
802.1X
Port-Based Network Control
Public-Key
Certificates
No
Yes
EAP-AKA
EAP-SIM
SIM-based
EAP-TLS-PSK
EAP-IKE v2
EAP-PSK
Pre-Shared-Keys
EAP-PAX
EAP-SPEKE
Passwords
PEAP
EAP Methods, EAPTLS, EAP-GTC, MSCHAPv2
EAP-TTLS
EAP Methods, CHAP, PAP,
MS-CHAP and MS-CHAPv2.
EAP-TLS
Client Certificate
RSA / ECC
Client and Server
Certificates
(Note 2)
No, Only
Server
Yes
(Note 3)
Note 1: Strong Access Control protocol. Must be coupled with a secure EAP method.
Note 2: No need to issue certificate to the client
Note 3: Both the client and the server must be assigned a digital certificate signed by a
certificate authority. Requires PKI
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 18
EAP Key Material
•
User authentication protocols perform two functions:
— Verifying the identity of one or both parties, and
— Producing ephemeral secret keys shared between the parties that are used
subsequently for data origin authentication.
•
During authentication, key material is transported or agreed to.
— In key transport, both parties share a key-encrypting key that is used to wrap
(encipher) the key that is going to be transported - exchanged.
— A key agreement algorithm allows two parties to generate a secret key computed from
public key algorithms such as Diffie-Hellman.
•
Exchanged or generated keys are used to generate key material.
•
In EAP, the following keys are derived: Master Session Key (MSK),
Extended Master Session Key (EMSK), AAA Key, Application-Specific
Master Session Keys (AMSK), Transient Session Keys (TSK), Initialization
Vector (IV), and Transient EAP Keys (TEK)
•
The MSK is used to derive the AAA Key; the AAA Key is used to derive the
Transient Session Keys (TSKs), and the TSKs are used to protect data.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 19
EAP Password Mechanisms
• Legacy authentication systems are based on passwords
or token-based authentication systems.
• EAP is used with legacy authentication systems by first
establishing a secure tunnel (e.g. TLS), and then using
that tunnel to run the legacy authentication protocols, so
the authentication is running in an inner tunnel.
• Two EAP methods, TTLS and PEAP, have been
proposed to support legacy authentication systems.
— EAP-TTLS supports all EAP methods, CHAP, PAP, MS-CHAP, and
MS-CHAPv2.
— EAP-PEAP supports all EAP methods, as well as EAP-TLS, EAPGTC, MS-CHAPv2. PAP and CHAP are not recommended for use as
authentication methods with EAP-PEAP.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 20
EAP PEAP with MS-CHAP-v2
Authenticator
Client
Request Identity Message
Client or Computer Identity
Authenticator Challenge (16-octet
random number)
Client Challenge Response (24-octet)
Client Challenge (16-octet random
number)
Success Message
Response to Client
Challenge
Ack Message
Success Message
The entire authentication exchange is encrypted
through the TLS channel created in PEAP
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 21
EAP Generic Token Card (GTC)
Access Control Server
Encipher
with Key
Seed
User’s
Key
Database
PIN
Seed
Same
Encipher
with Key
Token
User
IEEE 802.1X
Authenticator
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 22
EAP One-Time Password (OTP)
Seed and Challenge
numbers
User’s secret
pass-phrase
or PIN
Concatenate
Network
Access
Server
Hash
Function
Seed and Challenge
numbers
Concatenate
Same
User’s secret
pass-phrase or PIN
Database
Hash
Function
One-Time Password
One-Time Password Systems
• New password required for each session.
• IETF standardized OTP in RFC 2289.
• Difficult to administer the secret pass-phrase
list and, therefore, not very scalable.
Secret pass-phrase and seed are
hashed the number of times to be
equal to the Challenge number
and then become a One-Time
Password.
User
IEEE 802.1X
Authenticator
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 23
Password Security Considerations
• Passwords are prearranged identifiers that the user possesses,
such as words, special coded phrases, personal identification
numbers (PINs), etc.
• Password systems require a single coded response from the user to
be allowed access to the host computer.
• When writing a password policy, organizations should consider the
following:
—
—
—
—
How the password will be selected
How often the password will be changed
How long the password will be used
How the system will handle (transmit) the password
• Users normally choose unsatisfactory or poor passwords, such as
words from a dictionary, words spelled backwards, first names,
surnames, address numbers, telephone numbers, and social
security numbers.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 24
Password Guessing
•
In 1985, the Department of Defense published the Password Management
Guideline, CSC-STD-002-85, that described how to calculate the maximum
lifetime of a password.
L=
PxS
R
where
L = Maximum lifetime for a password
P = Probability that a password can be guessed within its lifetime,
assuming continuous guesses for that period.
R = Number of guesses possible to make per unit of time.
S = Password space; the total number of passwords that can be
generated.
S = AM (A = number of alphabet symbols, M = password length)
•
•
For P = 10-6; R = 500K guesses/sec = 43.2 x 108/day.
For a password that consists of a combination of ten upper and lower case
letters and numbers 0 - 9, then
S = A M = 6210 = 8.39 x 1017
and
IEEE 802.1X
6
x 8.39 x 1017
10
L=
= 19.43 days
43.2 x 10 8
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 25
Password Guidelines
•
Must contain a combination of at least eight alphanumeric characters
including at least one alphabetic, one numeric, and one special (e.g.,
punctuation) character, as well as one upper case and one lower case
character.
•
Must be a minimum length of ten characters (not eight) if the system does
not distinguish between upper and lower case.
•
•
•
Must not contain the user ID or portion thereof.
•
In the Windows NT environment, it is better to use passwords that are
exactly 7 or 14 characters in length.
•
The system should not modify the end-user password, i.e., convert the
password to all lower case, or truncate the password.
•
Passwords must not be stored or retained in clear at any location; instead,
a hash of the password should be stored. The Secure Hash Algorithm SHA
(224, 256, 384, or 512) should be used and the hashed password should not
be truncated.
Must not be a combination of year and date.
Must not contain any two or more letters in forward or reverse alphabetic
sequence, ASCII sequence, or QWERTY sequence, regardless of the case.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 26
Access Authentication
• Two-Factor Authentication
— To identify and authenticate an authorized system user, two factors are
necessary: (1) Something secret only the user knows – a memorized
personal identification number (PIN) or password; (2) Something unique the
user possesses – a token.
• Time Synchronizing
— The authorized system user carries a token which generates a unique, onetime, unpredictable access code every 60 seconds. To gain access to a
protected resource, a user simply enters his or her secret PIN, followed by
the current code displayed on the token.
— Authentication is assured when the authenticator recognizes the token’s
unique code in combination with the user’s unique PIN. Software
synchronizes each token with hardware at the authenticator.
— RSA SecurID token is a good example of a product providing an easy, onestep process to positively identify network and system users.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 27
RADIUS Authentication Server
• Used for Remote Authentication Dial-In User Services
• Is an easy method for authentication, authorization and accounting
of dial-in users (AAA).
• Relies on basic Request/Accept messaging.
• Uses UDP (User Datagram Protocol).
• Relies on “shared secret” for NAS authentication
• Access-Request
— Sent by RADIUS client (Network Access Server - NAS)
— Contains username, password and particulars such as NAS ID, port number,
access type, etc.
• Password encrypted with shared secret
• Access-Accept or Access-Reject
— Returned by RADIUS server
— Contains list of attributes (called authorization info) used by the NAS
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 28
1 Access-Request
Client
(User)
5
7
Challenge
6
Access-Reject or
Challenge
Resubmit
Access-Request
RADIUS
Network
Access Server
(NAS)
NAS operates as
a Client of Radius
2
Response
4
3
RADIUS Server
Smart Card,
Software
1
Access-Request
• User dials into
remote access
server
• User Name
• Password
(Hidden using
RSA Message
Digest
Algorithm, MD5)
• NAS ID
• Port ID
IEEE 802.1X
2-4
5-6
Database
7
List of requirements which
must be met to allow
access for the user.
• Sends Access• NAS sends
Resubmit AccessReject
or
request for
Request
Challenge
RADIUS
• Original Access(random number)
authentication
Request with the
and authorization. • User enciphers
User Password
Challenge
with
• RADIUS checks
Attribute replaced
Smart
Card
or
against its user
by the encrypted
encryption
ID database, and
response.
software.
• Provides info to
NAS whether the
user is in the
database or not.
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 29
Needham and Schroeder Authentication
Trusted
Entity
2
1
1. A
T:
{A ¦B ¦RA}
2. T
A:
EKA {RA ¦ B ¦ K ¦EB(K ¦A)}
3. A
B:
E B {K ¦A}
4. B
A:
E K {R B}
5. A
B:
E K {RB – 1}
3
A
4
B
5
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 30
Kerberos Authentication Method
•
Internet security standard protocol RFC 1510 based on trusted third-party
centralized authentication to offer authentication services to users and
servers in an open distributed environment.
— Used in Windows 2000
•
Relies on secret-key symmetric ciphers for encryption and authentication.
•
Requires trust in a third party (the Kerberos server) for authentication.
— If the server is compromised, the integrity of the whole system is lost.
•
Does not use public-key encryption, therefore, does not produce digital
signatures or authentication of authorship of documents.
•
Version 4 still used.
•
Version 4 makes use of DES in Propagating Cipher Block Chaining (PCBC)
•
Version 5 (RFC 1510) uses any encryption algorithm. If DES is used it has to
be in CBC mode.
ftp://ftp.isi.edu/in-notes/rfc1510.txt .
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 31
Ticket is encrypted using
the secret key shared by
the Kerberos server and
the Application server.
Kerberos
Kerberos Server
2
I am Alice’s workstation and
I want to use database # 1
in the application server “B”.
Here is my user ID.
1
I am Alice, and here is
my password to prove
it.
•
Client
Workstation
I believe you. Here is your ticket
with your user ID, network
3 address, and the server ID for
the application server “B” you
want to access.
I am Alice, and I want to
4 use your database #1.
Here is my ticket.
Application
Server “B”
Database # 1
5
I believe you, and here is
your access to the database
services.
Kerberos server performs the functions of a Key Distribution Center (KDC).
— Keeps the secret keys of all users.
— Authenticates the identities of users and distributes session keys to users and servers.
•
Application servers do not communicate with the Kerberos server.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 32
Kerberos’ Abbreviations and Protocols
C
S
TGS
adddrx
Ax
=
=
=
=
=
IDx
Kx
Kx,y
=
=
=
Kx {m}
=
Txy
TGSx
times
=
=
=
||
=
Client
Server
Ticket Granting Server
x’s network address
x’s authentication (name,
address, and timestamp)
x’s identification
x’s secret key
Session key for x and y
communications
m encrypted with x’s secret
key
x’s ticket to use with y
TGS used by C
beginning and ending validity
time for a ticket, timestamp
concatenation
Kerberos’ ticket for x to talk with y
Tx,y = EKy { IDx, addrx, times, Kx,y }
IEEE 802.1X
EAP Methods
AS
TGS
3
2
1
4
Once per
type of
service
Once per
user log
on
C
Once per
service
session
5
6
S
•
IDC || TGSC || time
•
EKC { K C, TGS } || E KTGS { TC,TGS } || time
•
IDS || E KTGS { TC,TGS } || E K C, TGS { AC }
•
E K C, TGS { KC,S } || E Ks { TC,S }
•
E Ks {TC,S} || EKC,S { AC }
•
EKC,S { timestamp, Subkey, Seq # }
Passwords
Radius
Kerberos
X.509
M. Mogollon 33
Kerberos Encryption and Checksum
Encryption
Confounder Message Padding
Ke
Confounder Message Padding
Encipher
HMAC
Ki
Ciphertext Output = E (Ke, confounder || message || padding) || HMAC(Ki, confounder || message || padding)
Checksum
Confounder Message Padding
Ki
Ke
Encipher
HMAC
Encipher
Ke
Checksum Output = E (Ke, confounder) || E [Ke, (HMAC(Ki confounder || message || padding)]
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 34
Kerberos Security Concerns
• Secret keys should be distributed in a secure way.
• Kerberos servers have same concerns about secret-key
encryption, i.e. confidentiality and timeliness that apply
to Kerberos’ secret keys.
• Kerberos servers should be located in physically secure
environments with restricted physical access.
• Multiple-service-granting tickets are reusable, so an
opponent may capture the ticket and use it.
— Tickets should have a timestamp and a lifetime to prevent replay
attacks (Version 5).
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 35
X.509 Authentication Method
• ITU-T recommendation X.509 is part of the X.500 series of
recommendations that define a directory service.
• X.509 is the primary standard for certificates. It specifies not only
the format of the certificate, but also the conditions under which
certificates are created and used.
• Two types of authentication are used.
— Simple Authentication using passwords.
— Strong Authentication using public-key crypto systems.
• Public Key Infrastructure (PKI) is based on X.509, Version 3.
— Each certificate contains the public key of a user and is signed with the
private key of a CA.
— RSA is recommended for use in X.509.
• X.509 is used in S/MIME, IP Security, TLS/SSL and SET.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 36
X.509 – Simple Authentication
1. Alice sends her ID and password
to Bob;
Directory
3
2
2. Bob sends Alice’s ID and
password to the Directory, where
the password is checked against
the information held for Alice.
3. The Directory confirms (or denies)
1
A
B
4
4. The success (or failure) of
The password is sent in cleartext
IEEE 802.1X
to Bob that the credentials are
valid.
EAP Methods
authentication may be conveyed
to Alice.
Passwords
Radius
Kerberos
X.509
M. Mogollon 37
X.509 – Simple Protected Authentication
Alice
Alice
Bob
ID,
Password,
Time Stamp,
and Random
Number
ID, Time
Stamp, and
Random
Number
ID, Time
Stamp, and
Random
Number
Transmit
Hash
Alice’s Password
from Directory
One-Way
Function
Hash
Hash
One-Way
Function
Compare
•
Using a one-way function, Alice creates a hash of her ID, password, time stamp and a
random number.
•
Alice sends in clear her ID, time stamp and random number. The time stamp and/or
random number (when used) is used to minimize replay and to conceal the
password.
•
Bob generates Alice’s hash by using Alice’s ID and optional time stamp and/or
random number, together with the Directory’s local copy of Alice’s password.
•
Bob compares Alice’s hash with the locally generated hash value.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 38
X.509 – One-way Alice’s CA
Strong Authentication
Bob
CA’s
Public Key
Alice
Decipher Using CA’s
Public Key
Alice’s
Certificate and
path to CA
Non-repeating
number rA
Time
Stamp tA
Alice’s Digital
Signature
sgnData
Bob’s ID
IDB
Secret Key
[encData]
IEEE 802.1X
Enciphered,
and signed
authentication
message
Alice’s public key and info
Using
Decipher Alice’s
Public Key
Using
Encipher Alice’s
Private
Key
Authentication
Message
Bp[encData]
Using
Encipher
Bob’s
Public Key
EAP Methods
Bob checks if
Alice’s certificate
has expired.
rA , tA, IDB ,
Bp[encData]
Using Bob’s
Decipher
Private Key
Secret Key
[encData]
Passwords
Radius
Bob
• Checks that Alice’s
non-repeating
number has not
been replayed.
• Checks that Alice’s
time stamp is
current.
• Verifies that Bob
himself is the
intended recipient.
Kerberos
X.509
M. Mogollon 39
Bob’s CA
X.509 – Two-way
Strong Authentication
Alice
CA’s
Public Key
Alice checks if
Bob’s certificate
has expired.
Bob
Using CA’s Decipher
Public Key
Bob’s
Certificate
Enciphered,
and signed
authentication
message
Bob’s public key and info
Alice
• Checks that Bob’s
non-repeating
number has not
been replayed.
• Checks that Bob’s
time stamp is
current.
• Verifies that Alice
herself is the
intended recipient.
Using
Bob’s Decipher
Public Key
Using
Bob’s
Private
Key
rB , tB, IDA ,
Authentication
Message
Bp[encData]
Decipher
Using Alice’s
Private Key
EAP Methods
Passwords
Time
Stamp tB
Bob’s Digital
Signature
sgnData
Alice’s ID
IDA
Ap[encData]
Encipher
Secret Key
[encData]
Using Alice’s
Public Key
Secret Key
[encData]
IEEE 802.1X
Encipher
Non-repeating
number rB
Radius
Kerberos
X.509
M. Mogollon 40
Key Length Equivalent Strengths
Security
(Bits)
Symmetric
Encryption
Algorithm
Hash
Algorithm
Block
Size
(Bits)
Word
Size
(Bits)
Diffie-Hellman
and RSA
Modulus Size
ECC
80
SKIPJACK
SHA-1
512
32
1024
160
112
3DES
SHA-1
512
32
2048
224
128
AES-128
SHA-256
512
32
3072
256
192
AES-256
SHA-384
1024
64
7680
384
256
AES-512
SHA-512
1024
64
15360
512
Radius
Kerberos
X.509
IEEE 802.1X
EAP Methods
Passwords
M. Mogollon 41
To Probe Further
•
Public-Key Infrastructure (X.509) (PKIX) Charter. Links to many X.509 RFP web sites.
http://www.ietf.org/html.charters/pkix-charter.html
•
Directories and X.500: An Introduction, Information Technology Services, National
Library of Canada. Retrieved August 20, 2002 from http://www.nlc-bnc.ca/9/1/p1-244e.html
•
RFC 2865 Remote Authentication Dial-in User Service (RADIUS) describes a protocol
for carrying authentication, authorization, and configuration information between a
Network Access Server that desires to authenticate its links and a RADIUS Server.
http://www.ietf.org/rfc/rfc2865.txt?number=2865
•
Password Management Guideline, CSC-STD-002-85
http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html
•
One-Time Password System RFC 2289. IETF.
http://www.ietf.org/rfc/rfc2289.txt?number=2289
•
The Kerberos Network Authentication Service (V5). RFC 1510. IETF.
http://www.ietf.org/rfc/rfc1510.txt?number=1510
•
•
Extensible Authentication Protocol RFC 2284
Mishra, Arunesh, and William Arbaugh. (2001) "An Initial Security Analysis of the
IEEE 802.1X Security Standard. Paper available from
http://www.cs.umd.edu/~waa/1x.pdf
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 42
To Probe Further
•
Needham R. M., M. D. Schroeder, Using Encryption for Authentication in Large
Networks of Computers Communications of the ACM, Vol. 21 (12), pp. 993-99.
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 43
802.1X Ethernet Packet
6 bytes
6 bytes
2 bytes
1 byte
Dest. MAC
0180C200000F
Source
MAC
Type
8180
Protocol
Version
01
1 byte
2 bytes
Packet
Type
Packet
Body
Length
n bytes
Packet
Body
00 EAP-Packet
01 EAPOL-Start *
* No Packet Body Field
02 EAPOL-Logoff *
03 EAPOL-Key
04 EAPOL-Encapsulated-ASF-Alert
1 byte
1 byte
2 bytes
Code
Identifier
Length
n bytes
Data
EAP Payload (EAP-TLS, EAP-TTLS, EAP PEAP)
1 Request
2 Response
3 Success
4 Failure
1 bytes
Descriptor
Type
2 bytes 8 bytes
Key
Length
Replay
Counter
32 bytes
Nonce
16 bytes
Key IV
1 bytes 16 bytes
Key
Index
Key
Signature
n bytes
Key
Packet Body Field
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 44
VPN Applications:
Extranets and Remote Access
Security
Policy Server
Internet
Tunnel Mode
Router
Laptop with VPN and
MCS Client Software
IEEE 802.1X
EAP Methods
VPN
Gateway
VoIP and data packets are
enciphered between the
laptop and the VPN Gateway
Passwords
Radius
Nortel’s Protected
Intranet
Kerberos
X.509
M. Mogollon 45
EAP Authentication Process
Authentication
Server
IP Phone User
Authentication
Authenticator
Radius, Kerberos, PKI,
OTP, Token
EAP Method
EAP over
Ethernet
Password
Authentication
Database
Token
Authentication
Database
X.509 Directory
Kerberos
Ticket
Granting
Server
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 46
VoIP VPN Tunnel using IPSec
Router
Internet,
IPWAN
IP Phone
VPN
Tunnel
Router
IP Phone
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 47
VoIP using TLS (SSL)
Use Diffie-Hellman Public Key Exchange
Algorithm to negotiate a key
Shared Master Secret Key
Shared Master Secret Key
The negotiated secret key is used to encipher all
IP voice packets during the the phone call.
Encipher
Master
Shared
Secret Key
Decipher
Cleartext
Block
Cleartext
Block
Cleartext
Block
Cleartext
Block
+
+
+
+
IV
AES
AES
Ciphertext
Block
Ciphertext
Block
IEEE 802.1X
EAP Methods
Use AES to encipher and
decipher a secure TLS
(SSL) VoIP phone call.
Passwords
Radius
AES
AES
Ciphertext
Block
Ciphertext
Block
Kerberos
IV
Master
Shared
Secret Key
X.509
M. Mogollon 48
Extensible Authentication Protocol
Client
(Peer, Supplicant)
Authentication
Server (Radius)
Authenticator
EAPOL Start
EAP Request Identity
EAP Response Identity
Radius Access Request
Radius Access Challenge
EAP Request
EAP Response
Radius Access Request
Radius Access Accepted
EAPOL Success
IEEE 802.1X
EAP Methods
Passwords
Radius
Kerberos
X.509
M. Mogollon 49
