Security at the Operating System Level (Microsoft)

advertisement
Security at the
Operating System Level
(Microsoft)
By
Birinder Dhillon
Outline






Why need security at the OS level?
Security features/concerns of Microsoft
Windows NT.
Security provided by Microsoft Windows
2000.
“Next Generation Secure Computing Base for
Windows” by Microsoft .
Conclusion.
Questions/Comments.
Why need security at the OS
level?



No more standalone computer system
environments.
Any system can be globally accessible
through a set of vast inter and intra-network
connections.
Transition motivated by the need to work
remotely, convenience in accessing personal
records, online shopping etc.
Why need security at the OS
level? (contd.)



Convenience and efficiency with increased
security risks.
Trust computers more than our life partners.
A single security loophole in the OS design
known to a malicious attacker could do
serious damage.
Security Model of Microsoft
Windows NT



Access Tokens: Evidence that the a user
successfully logged-in.
Security Descriptors: Represent access
rights of a logged-in user.
Object Manager: Reads the security
descriptors and passes on the information to
the Security Reference Monitor (SRM). SRM
determines whether a user’s action is legal or
illegal.
Security features of Microsoft
Windows NT

NTFS
- Allows system administrators to set
global or very specific file access
permissions.
- Sets up a virtual root directory to
prevent network users from accessing
higher nodes in the system.
Security features of Microsoft
Windows NT (contd.)




Minimum password length and frequent
password change requirements.
Multiple levels of privilege, unlike UNIX.
Challenge-response scheme for
authentication purposes during user log-on
attempt.
Auditing.
Loopholes in Microsoft
Windows NT Security Model




Assumes a logged-in user is a legal user.
Networking environment uses some old outof-date protocols (such as NetBEUI, DLC).
Use of non-standard implementations of
security protocols. For example, Microsoft's
implementation of PPTP.
Obvious relationships between clear text
passwords and hash values. Tools like
l0phtcrack can exploit this vulnerability.
Security features of Microsoft
Windows 2000



Technology based on Windows NT.
Designed to address the security loopholes of
Windows NT.
New Security features included with Windows
2000: Active Directory, ACLs for both the
users and resources, Encrypting File System,
Kerberos, Internet Protocol Security (IPSec),
PKI.
Kerberos




Windows 2000 replaces the NT LAN
Manager with Kerberos version 5.
Network authentication protocol.
Involves the participation of two principals
and a trusted third party called Key
Distribution Center (KDC).
Uses symmetric key encryption. KDC
provides the shared key for each session.
Kerberos (contd.)

Scenario 1: A principle is trying to log-on to
his/her workstation.

Scenario 2: A principle wants to
communicate with another principle.
Kerberos (contd.)
Scenario 1

The following sequence of events occur:
Alice  W : P, U
W  KDC : U
KDC  W : { SA, { SA, U, TS} KKDC } KA
Session key for
communication between
Alice’s workstation and
KDC
Ticket-Granting Ticket (TGT)
W computes KA = hash (P) and decrypts
{SA, {SA, U, TS} KKDC } KA
Kerberos (contd.)
Scenario 2

The following sequence of events occur:
Alice  KDC : {TGT}KKDC, Bob, {TS} SA
KDC decrypts TGT and obtains SA
KDC decrypts TS using SA
KDC  Alice : {Alice, Bob, TS1, KAB, {Alice, Bob, TC, TE, KAB} KB} SA
Alice  Bob : {Alice, Bob, TC, TE, KAB} KB, {TS2} KAB
Bob decrypts his ticket using KB to obtain KAB
Bob decrypts the authenticator using KAB
Encrypting File System (EFS)





EFS is integrated with NTFS version 5.
Allows Windows 2000 users to encrypt their
files and folders.
Encrypting a folder encrypts all the subfolders
and files in that folder.
Cannot be used to encrypt system files.
A user needs to know the key to decrypt a
file, log-in password not enough.
EFS (contd.)




Uses Public Key Encryption.
Initial version uses DES as the encryption
algorithm.
Randomly generated File Encryption Key
(FEK) used for encryption.
Users/Recovery Agents encrypt the FEK
using their public key and decrypt using their
private key.
EFS (contd.)
File Encryption Process

The following diagram illustrates the file
encryption process:
Plain text
User’s Public Key
Randomly generated FEK
File Encryption
(DES)
Data Decryption Field
generation (DDF)
Data Recovery Field
generation (DRF)
Recovery Agent’s
Public Key
Encrypted Text
DDF
DRF
EFS (contd.)
File Decryption Process

The following diagram illustrates the
decryption process:
Encrypted Text
File Decryption (DES)
FEK
User’s Private
Key
Data Decryption
Field Extraction
DDF
Plain Text
EFS (contd.)
File Recovery Process

The following diagram illustrates the file
recovery process:
Encrypted Text
File Decryption
(DES)
FEK
Recovery Agent’s
private key
Data Recovery Field
Extraction
DRF
Plain Text
Public Key Infrastructure (PKI)

Primary components of Windows 2000 PKI
are:




Certificate Services: Businesses act as their own
Certificate Authorities (CAs).
Active Directory directory service: Store
information about the network and used to publish
keys.
PKI enabled applications.
Exchange Key Management Service (KMS):
Used to manage email encryption keys.
PKI (contd.)




Includes typical components of a PKI: CA,
and Sub-CA.
Certificates are compliant with ITU-TX.508
standard.
Supports standard security protocols like
IPSec, PKINIT, PC/SC etc. Enhances
interoperability.
Users now have the capability of mixing
public and private CAs in their environment.
“Next Generation Secure
Computing Base for Windows”



New set of features for a future operating
system – previously codenamed “Palladium”
Promises to provide greater security,
enhanced personal privacy, and system
integrity.
Applications that would make use of
“Palladium’s” security features are
codenamed “Trusted Agents.”
“Next Generation Secure Computing
Base for Windows” (contd.)

“Palladium” enabled systems would offer the
following security features:




Protected Memory: Hide and protect the pages of main
memory being used by a “Trusted Agent.”
Attestation: Data signed by a “Trusted Agent” to prove its
authenticity.
Sealed Storage: The ability of a “Trusted Agent” to store
data securely.
Secure input and output: Guarantee a trusted path from
the input devices to a “Trusted Agent” and from a “Trusted
Agent” to the output devices.
“Next Generation Secure Computing
Base for Windows” (contd.)


“Palladium” requires both hardware and
software support to implement the security
features.
Hardware Support



To provide trusted space in memory.
To implement the sealed storage security feature.
Intel has already scheduled the release of its
Prescott processor enabled with Le-Grande
technology to provide hardware support.
“Next Generation Secure Computing
Base for Windows” (contd.)

Software Support

Nexus (formerly codenamed “Trusted
Operating Root”)



Technology to be used by the OS to provide trust
functionality.
Executes in Kernel mode alongside “Trusted Agents”
that execute in user mode.
Provides the APIs that the “Trusted Agents” can use to
communicate with Nexus.
“Next Generation Secure Computing
Base for Windows” (contd.)

Software Support (contd.)

“Trusted Agents”




User applications that can make use of “Palladium’s”
security features.
Execute in the user mode in trusted space.
Call Nexus when need to make use of some security
feature.
Able to store secrets using sealed storage and
authenticate themselves using attestation.
“Next Generation Secure Computing
Base for Windows” (contd.)

Examples

Protection against virus attacks



Still need anti-virus software to catch a virus
If the anti-virus software is a “Trusted Agent,” then
“Palladium” makes sure it executes in secure
environment and infected code doesn’t affect it.
File encryption


Files encrypted using system specific secrets
cryptographically locked into hardware.
Files useless if maliciously copied or tampered with.
Conclusion



High security promises prompt consumers to
store important and private data carelessly.
No matter how high OS security promises
are, someone’s always out there to break
them.
An example is the Code-Red worm that
hammered the Windows 2000 users by
manipulating a loophole in IIS 4.0 and 5.0.
Questions/Comments
Download