OTP-II-Presentation - Networked Software Systems Laboratory

advertisement
OTP II Project Presentation
Roman Kecher (roman.kecher@gmail.com)
Ophir Etzion (ophir86@gmail.com)
Supervised by: Zeev Schneider (zeev@technion.ac.il)
Software Lab, EE Technion. 08-02-2009
Introduction
Remote Authentication Dial In User
Service (RADIUS) is a networking protocol
that provides centralized access for people
or computers to connect and use a
network service.
 In the user’s authentication process we
would like to use a One Time Password
(OTP) for security reasons.

The OTP Concept (or, OTP I)
The idea is to use a different, one time,
password each time a password is
required.
 The OTP is created using a cryptographic
hash function (which is one-way) MD5, on
a string built from known parameters that
are updated each time, thus providing a
different hash each invocation.

Solution Characteristics
Internet Authentication Service (IAS) is
Microsoft’s implementation of RADIUS.
 IAS allows any developer to write custom
extensions to the authentication process.
 Our solution is an extension to the IAS that
allows a user to authenticate with an OTP
instead of his static, fixed password.

OTP IAS Extension
The IAS communicates with an Active
Directory (AD) server that stores all users
data.
 Our OTP data is stored in that very same
AD and fetched by the extension, prior to
computing the current OTP.
 After a successful connection attempt, the
OTP data in the AD is updated in order to
get a different OTP next time around.

How does it look?
Wireless Access Point,
acting as a RADIUS
client.
User’s computer, wishing to
connect to the wireless network
using the 802.1x wireless protocol.
AD Server, this is where
all the OTP data of the
users is stored.
IAS, acting as a RADIUS
Server. This is where our
product is installed.
Cellphone with “OTP I”:
Java applet to produce
current OTP.
Development tools in use
For the whole development process, from
start to end, we have used the Visual
Studio 2005 IDE (Integrated Development
Environment) by Microsoft.
 We’re not big fans of debugging, therefore
the only debugging tools in use were a
Debug class written by us which provided
logging of everything, so we could check
up on suspicious behavior.

Technologies



The solution consists of pure C++ code, with use
of the MFC, ATL, and STL, along with some
Microsoft specific structures (like VARIANT).
We used ADSI (Active Directory Services
Interface) – an interface that allowed us to
conduct easy and correct communication with
the AD.
We have used the MD5 (Message Digest 5)
algorithm as part of the OTP generation process.
Implementation
As our solution is an extension to the IAS,
we had to implement it as a DLL (Dynamic
Linked Library).
 That DLL had to implement and export at
least one mandatory function, which is in
charge of returning the accept/reject
decision to the IAS:

RadiusExtensionProcess (Radius_attrs, Radius_action)
Encountered Problems

The MMC (Microsoft Management Console)
doesn’t allow a user to view/edit custom
attributes (such as ours).


Solution: we wrote an extension to the MMC that
allows us to view and edit our own custom attributes.
Debugging a DLL can be pretty tricky, even
more so when the executing machine isn’t the
one we’re compiling on.

Solution: we wrote an internal logging facility for the
whole extension, so we could see all the relevant data
when an inspection is needed.
Design Review
The chosen design is pretty much dictated
to us since we’re writing an extension to
an already existing product; therefore we
must implement it as a DLL, and have the
correct functions exported.
 The rest of the design conforms to the
principles of OOP (Object Oriented
Design) and is well divided into logical
modules, exactly the way it should be.

Code, Briefly
Here are the major modules(/classes):
 Main – this is the main entry point of the dll. It
interacts with the IAS.
 MD5 – Implementation of MD5.
 OTP – This module is in charge of computing
the current OTP (per user).
 MyADSI – This module is in charge of the
communication with the AD.
 MyAux – Auxiliary module. Contains some useful
functionality, serving everybody.
 Dbg – Debug class for logging purposes.
Interaction of Code
The IAS
The AD
Main
OTP
MyADSI
MD5
MyAux
Dbg
A
B
Means: A uses B.
The MMC Extension Code



The MMC Extension is far more trivial code
wise.
The extension consists of a single MFC based
dialog, UserPropPage. In this dialog we have the
three relevant properties (or attributes): PIN,
Seed, Iteration.
All the code in the project is C++ code with MFC
in use, which implements the functionality of
reading the custom attributes from the AD and
writing them back.
Installing the MMC Extension
We have to extend the AD Schema with
three new attributes: otpseed, otppin,
otpiteration.
 Once this is done, the new MMC
extension DLL must be registered and
added to the user-display Properties,
under AdminPropertyPages.
 This is all well explained in the supplied
documents.

The New MMC Extension
Demonstration
Relevant Courses
Security knowledge:
 236350 Computer Security.
 236506 Modern Cryptology.
Implementation and practice:
 236703 Object Oriented Programming.
 236700 Software Design.
Network related:
 236341 Internet Networking.
Gains from the project

We learned an entire system and the
technologies within entirely from scratch:
IAS, AD, and more. This benefits us in at
least two ways:
We got acquainted with a whole range of new
technologies and systems that can be useful
in the future.
 We learned how to cope with an totally new
and challenging environment in which we
have to work and find our own way.

More gains!
In this project we have put to practice
some of the theoretical knoweldge we had
before.
 We learned how to deal with a very
practical and well defined demand for a
working product – this defers greatly from
any demands we faced in normal courses.
 We learned much from Zeev and his
experience 

Summary
This project was a really beneficial
experience that really assured us we are
ready to handle anything we may face, no
matter how new and challenging it is.
 At the bottom line, we have a working
product here, that has a demand in the
market! We may consider trying to sell it,
or continue working in the field.

Suggestions for OTP III ?
Some studies show that MD5 has quite a
few weaknesses, so basing the OTP on a
different hash algorithm may be a smart
direction to go in.
 Another nice suggestion could be building
a hardware device for creating the OTPs.
Perhaps even one that is based on the
time of creation, rather then on the number
of invocations, to create the OTP.

Download