Upload
ekram
View
60
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Chapter 7. Access Authentication. Session 5 – Contents. Authentication Concepts IEEE 802.1X Authentication Extensible Authentication Protocol (EAP) EAP Password Mechanisms Other Password Mechanisms Password Security Considerations EAP Authentication Servers - PowerPoint PPT Presentation
Citation preview
Cryptography and Security Services: Mechanisms and Applications
Manuel [email protected]
M. Mogollon 1
Chapter 7Access Authentication
M. Mogollon 2IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
• Authentication Concepts• IEEE 802.1X Authentication• Extensible Authentication Protocol (EAP)• EAP Password Mechanisms• Other Password Mechanisms• Password Security Considerations• EAP Authentication Servers• Remote Authentication Dial-in User Service (RADIUS)• The Needham-Schroeder Protocol, Kerberos V5.1 • ITU-T X.509
Session 5 – Contents
M. Mogollon 3IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Security Concerns• Browsing
— The attacker tries to get access to a database to get information.
• Spoofing— The attacker pretends to be a user with certain privileges.
• Session Hijacking— The attacker tries to take over an existing connection between two
computers.
• Electronic Eavesdropping or Sniffing— The attacker records all the traffic going through the network interface card
(NIC) or on a server node.
• Exhaustive Attacks— The attacker tries to identify secret information by testing all possibilities. Also
called Brute Force Attack.
M. Mogollon 4IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
What is Authentication?
authentication / n. (1) The act of identifying or verifying the entity that originated the message or the corroboration (proof) of the sender's identity, i.e. that he is who he claims to be. Written messages are authenticated with a handwritten signature so the receiver of the message is able to validate the message. (2) access. The act of identifying or verifying the eligibility of a station, originator or individual to access specific categories of information.
Longley, D., & Shain, M. (1989). Data & Computer Security Dictionary of Standards Concepts and Terms (p26). Boca Raton, FL:CRC Press, Inc.
M. Mogollon 5IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Access Authentication
Firewall
Wireless Access Authentication
Access Authentication• Dial-up User Authentication• Wireline User Authentication.• Wireless User Authentication• Device Authentication.
Home office
Router
Router
VoIP
Intranet
Authentication Server
Device Authentication
User Authentication
RouterInternet,IPWAN
PSTNNAS
Dial-up User Authentication
M. Mogollon 6IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Access AuthenticationAccess
Authentication
Protocol
IEEE 802.1X
EAP Method Mechanism
EAP-TTLS
EAP-PEAP
EAP-TLS
MS-CHAP v2
OTP
GTC
CHAP
EAP-AKA
EAP-PSK
EAP-SIM
IEEE 802.1X: Port-based Access Control ProtocolEAP: Extensible Authentication ProtocolTLS: Transport Layer SecurityTTLS: Tunneled Transport Layer Security
Digital Certificates
The prevention of the unauthorized use of a resource.
PEAP: Protected EAPCHAP: Challenge-Handshake Authentication ProtocolOTP: One-Time PasswordGTC: Generic Token Card
M. Mogollon 7IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Authentication Factors• What the user knows
— Something secret only the user knows– A memorized personal identification number (PIN) or password
• What the user has — Something unique the user possesses
– SecureID card (token generating a one-time password)– A smartcard that can perform cryptographic operations on behalf
of a user).– Digital certificate
• What the user is— Something unique to the user— Biometrics (Fingerprints, voiceprint)
M. Mogollon 8IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Access Authentication vs. Authorization• Access Authentication
— Defines whether Access-Accept or Access-Reject is returned by the authenticator server.
• Authorization— Defines user’s environment once access is granted.— Controls or restricts what user is allowed to do on a network access
server (NAS) or network.
M. Mogollon 9IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
IEEE 802.1X Authentication• The IEEE 802.1X-2004 is a data link layer transport
protocol that defines wireless and physical networks port-access control standards. — Port access refers to “user port” access controlled by a wireless
access point or wired switch. Users do not get IP-connectivity until they have successfully authenticated.
• IEEE802.1X deployment requires the installation of three components: — Supplicant authentication software and hardware. — Authenticator – 802.1X EAP compatible. — Authentication Server. In IEEE 802.11, the Access Point acts as an
authenticator, while a wireless station (e.g., a laptop) is the supplicant. A Port Access Entity (PAE) is an entity that is able to control the authorized/unauthorized state of its controlled port.
M. Mogollon 10IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
802.1X Port-based Access Control Protocol
Services offered by the authenticator
systemAuthenticator
Port Access Entity
LAN
Controlled Port
Port Unauthorized Uncontrolled
PortAuthControlledPortStatus
MAC Enable/Disable
Authentication System Authentication Server System
Authentication Protocol
Exchanges
AuthenticationServer
M. Mogollon 11IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP Stack
Auth. Layer
Media Layer
Method Layer
PPP 802.11802.5802.3
Extensible Authentication Protocol (EAP)
EAP over LAN (EAPOL)
TLS TTLS PEAP
Connection and Login Process
EAP Layer
Protection Layer
Ethernet Token Ring Wireless LAN
M. Mogollon 12IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Extensible Authentication Protocol• Originally created for use with PPP, it has since been adopted for use with IEEE
802.1X -2004 "Port-Based Network Access Control". • Supports authentication mechanisms such as smart cards, Kerberos, digital
certificates, one-time-passwords, and others.— Authentication mechanisms are implemented in a number of ways called EAP methods, e.g.,
EAP-TLS, EAP-TTLS, EAP-PEAP, etc.• EAP is extensible because any authentication mechanism can be encapsulated within
EAP messages.• EAP allows the deployment of new protocols between the supplicant and the
authentication server.— The encapsulation technique used to carry EAP packets between peer and authenticator in a LAN
environment is known as EAP over LANs, or EAPOL• Authentication Mechanisms
— MD5-Challenge: Analogous to the PPP CHAP protocol with MD5 as the specified algorithm, RFC 1994. The Request contains a "challenge" message to the peer.
— One-Time Password (OTP): Defined in "A One-Time Password System," RFC 1938. The Request contains a displayable message containing an OTP challenge.
— Generic Token Card (GTC): Defined for use with various token card implementations which require user input. The Request contains an ASCII text message and the Reply contains the token card information necessary for authentication.
M. Mogollon 13IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP Authentication Process
The Authenticator functions as an AAA
client to the Authentication Server
Authentication Server
Radius, Kerberos, PKI, OTP, Token
Password Authentication Database
Token Authentication Database
X.509 Directory
Kerberos Ticket Granting ServerSupplicants
EAP over Ethernet
EAP Method
Authenticator
AAA – Authentication, Authorization and Accounting
M. Mogollon 14IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP Certificate and Hybrid Methods• Certificate Method
— EAP-TLS: The Extensible Authentication Protocol-Transport Layer Security uses X.509 digital certificates for secure mutual authentication client and server.
• EAP Hybrid Methods— EAP-TTLS (Tunneled TLS): Based on asymmetric cryptography
reusing TLS mechanisms. In EAP-TTLS, the TLS handshake can be mutual, or it can be one-way, in which only the server is authenticated to the client.
— PEAP (Protected Extensible Authentication Protocol): Based on asymmetric cryptography reusing TLS mechanisms. Provides an encrypted and authenticated tunnel based on transport layer security (TLS) that encapsulates EAP authentication mechanisms.
M. Mogollon 15IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Protected EAP
• First a TLS tunnel ( ) is established, and then the tunnel is used to run legacy authentication protocols in the inner tunnel ( ).
Cipher Suite
Cipher Suite
Client
Authenticator (Dual Port)
EAP Method
Authentication Server
Trust
Keys
EAP API EAP APIAuthenticator with Controlled Port Disabled.
EAP Method
LAN, Wireless
Services offered by the authenticator
system
EAP Methods, EAP-TLS, EAP-GTC,
MS-CHAPv2
M. Mogollon 16IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP SIM-Based Methods• EAP-AKA (Authentication and Key Agreement):
— Based on the 3rd generation Authentication and Key Agreement mechanism (AKA) specified for Universal Mobile Telecommunications System (UMTS) and for cdma2000.
— Based on challenge-response mechanisms and symmetric cryptography. It uses shared secrets between the User and the Authenticator together with a sequence number to perform the Authentication.
• EAP-SIM (Subscriber Identity Module)— Based on symmetric cryptography that reuses the GSM
authentication infrastructure. — Useful for scenarios where SIMs are already deployed (e.g.,
authentication of GPRS clients on a WLAN connected to a 3GPP network).
M. Mogollon 17IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP Pre-Shared Key Methods• EAP-TLS-PSK: TLS Pre-Shared Key
— A possible future EAP method based on TLS that would support authentication based on pre-shared keys.
— TLS-PSK uses one of the following:– 1. Symmetric key operations for authentication; – 2. Diffie-Hellman exchange authenticated with a pre-shared key; – 3. Combined public key authentication of the server with pre-shared key authentication of the
client.• EAP-IKEv2:
— Based on the symmetric and asymmetric cryptography of IKEv2, a protocol whose security has received considerable expert review.
— Could be an excellent candidate to replace EAP-MD5. • EAP-PSK (Pre-Shared Key)
— Based on symmetric cryptography. — Advantages:
– Simplicity: Easy to implement and to deploy without any pre-existing infrastructure. – Wide applicability: Can be used to authenticate over any network, in particular for WLANs. – Security: Based on AES.– Extensibility: Can add extensions as needed.– Patent-avoidance: No Intellectual Property Right claims.
M. Mogollon 18IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Password-Based EAP Methods• EAP-PAX
— Designed for device authentication using a shared key, a personal identification number (PIN). Instead of using a symmetric key exchange, the client and server perform a Diffie-Hellman key exchange, which provides forward secrecy.
— Supports the generation of strong key material; mutual authentication; resistance to desynchronization, dictionary, and man-in-the-middle attacks; ciphersuite extensibility with protected negotiation; identity protection; and the authenticated exchange of data, useful for implementing channel binding. EAP-PAX is ideal for wireless environments such as IEEE 802.11.
• EAP-SPEKE (Simple Password Exponential Key Exchange)— Based on symmetric cryptography and asymmetric key cryptography to provide
password-only authenticated key exchange.— Useful only when authentication is based on user-provided password information.— Unnecessarily complex for device authentication (e.g., it makes heavy use of public
key cryptography).— Improved protocol supports mutual authentication and key exchange and it works on
the Elliptic Curve Cryptosystems (ECC) base, as well as the DH (Diffie-Hellman) base.
M. Mogollon 19IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Road to AuthenticationStep 1 Step 2
EAP MethodStep 3Authentication Mechanism
Note 1: Strong Access Control protocol. Must be coupled with a secure EAP method.Note 2: No need to issue certificate to the clientNote 3: Both the client and the server must be assigned a digital certificate signed by a
certificate authority. Requires PKI
802.1XPort-Based Network Control
Public-Key Certificates
Yes
No
Client and Server Certificates
Yes
No, Only Server
EAP-TLS
EAP-TTLS
PEAP
EAP-PSKEAP-IKE v2
EAP-SIMEAP-AKA
EAP-SPEKE
EAP Methods, CHAP, PAP, MS-CHAP and MS-CHAPv2.
Pre-Shared-Keys
(Note 1)
(Note 3)
(Note 2)
EAP Methods, EAP-TLS, EAP-GTC, MS-CHAPv2
Client Certificate
RSA / ECC
EAP-PAX Passwords
EAP-TLS-PSK
SIM-based
M. Mogollon 20IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP Key Material• User authentication protocols perform two functions:
— Verifying the identity of one or both parties, and— Producing ephemeral secret keys shared between the parties that are used
subsequently for data origin authentication.
• During authentication, key material is transported or agreed to.— In key transport, both parties share a key-encrypting key that is used to wrap
(encipher) the key that is going to be transported - exchanged.— A key agreement algorithm allows two parties to generate a secret key computed from
public key algorithms such as Diffie-Hellman.
• Exchanged or generated keys are used to generate key material.• In EAP, the following keys are derived: Master Session Key (MSK),
Extended Master Session Key (EMSK), AAA Key, Application-Specific Master Session Keys (AMSK), Transient Session Keys (TSK), Initialization Vector (IV), and Transient EAP Keys (TEK)
• The MSK is used to derive the AAA Key; the AAA Key is used to derive the Transient Session Keys (TSKs), and the TSKs are used to protect data.
M. Mogollon 21IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP Password Mechanisms • Legacy authentication systems are based on passwords
or token-based authentication systems.• EAP is used with legacy authentication systems by first
establishing a secure tunnel (e.g. TLS), and then using that tunnel to run the legacy authentication protocols, so the authentication is running in an inner tunnel.
• Two EAP methods, TTLS and PEAP, have been proposed to support legacy authentication systems.— EAP-TTLS supports all EAP methods, CHAP, PAP, MS-CHAP, and
MS-CHAPv2. — EAP-PEAP supports all EAP methods, as well as EAP-TLS, EAP-
GTC, MS-CHAPv2. PAP and CHAP are not recommended for use as authentication methods with EAP-PEAP.
M. Mogollon 22IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP PEAP with MS-CHAP-v2
AuthenticatorClientRequest Identity Message
Client or Computer IdentityAuthenticator Challenge (16-octet
random number)Client Challenge Response (24-octet)
Client Challenge (16-octet random number)
Success MessageResponse to Client
Challenge
Ack Message
Success Message
The entire authentication exchange is encrypted through the TLS channel created in PEAP
M. Mogollon 23IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP Generic Token Card (GTC)
Encipher with Key
User’s Key
Same
Encipher with Key
Authenticator
User
PIN
Seed
Token
Seed
Access Control Server
Database
M. Mogollon 24IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP One-Time Password (OTP)
Network Access Server
Same
Hash Function
AuthenticatorUser
Hash Function
Seed and Challenge numbers
User’s secretpass-phrase
or PIN
Secret pass-phrase and seed are hashed the number of times to be equal to the Challenge number and then become a One-Time
Password.
Database
User’s secretpass-phrase or PIN
One-Time Password Systems• New password required for each session.• IETF standardized OTP in RFC 2289.• Difficult to administer the secret pass-phrase
list and, therefore, not very scalable.
One-Time Password
ConcatenateConcatenate
Seed and Challenge numbers
M. Mogollon 25IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Password Security Considerations• Passwords are prearranged identifiers that the user possesses,
such as words, special coded phrases, personal identification numbers (PINs), etc.
• Password systems require a single coded response from the user to be allowed access to the host computer.
• When writing a password policy, organizations should consider the following:— How the password will be selected— How often the password will be changed— How long the password will be used— How the system will handle (transmit) the password
• Users normally choose unsatisfactory or poor passwords, such as words from a dictionary, words spelled backwards, first names, surnames, address numbers, telephone numbers, and social security numbers.
M. Mogollon 26IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Password Guessing• In 1985, the Department of Defense published the Password Management
Guideline, CSC-STD-002-85, that described how to calculate the maximum lifetime of a password.
whereL = Maximum lifetime for a passwordP = Probability that a password can be guessed within its lifetime, assuming continuous guesses for that period.R = Number of guesses possible to make per unit of time.S = Password space; the total number of passwords that can be generated.S = AM (A = number of alphabet symbols, M = password length)
• For P = 10-6; R = 500K guesses/sec = 43.2 x 108/day.• For a password that consists of a combination of ten upper and lower case
letters and numbers 0 - 9, then
and
RSx P= L
10x = = A= S M 1710 39.862
days = x
10 x . x 10 = L1-
43.19102.43
3988
76
M. Mogollon 27IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Password Guidelines• Must contain a combination of at least eight alphanumeric characters
including at least one alphabetic, one numeric, and one special (e.g., punctuation) character, as well as one upper case and one lower case character.
• Must be a minimum length of ten characters (not eight) if the system does not distinguish between upper and lower case.
• Must not contain the user ID or portion thereof.• Must not be a combination of year and date.• Must not contain any two or more letters in forward or reverse alphabetic
sequence, ASCII sequence, or QWERTY sequence, regardless of the case.• In the Windows NT environment, it is better to use passwords that are
exactly 7 or 14 characters in length.• The system should not modify the end-user password, i.e., convert the
password to all lower case, or truncate the password.• Passwords must not be stored or retained in clear at any location; instead,
a hash of the password should be stored. The Secure Hash Algorithm SHA (224, 256, 384, or 512) should be used and the hashed password should not be truncated.
M. Mogollon 28IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Access Authentication• Two-Factor Authentication
— To identify and authenticate an authorized system user, two factors are necessary: (1) Something secret only the user knows – a memorized personal identification number (PIN) or password; (2) Something unique the user possesses – a token.
• Time Synchronizing— The authorized system user carries a token which generates a unique, one-
time, unpredictable access code every 60 seconds. To gain access to a protected resource, a user simply enters his or her secret PIN, followed by the current code displayed on the token.
— Authentication is assured when the authenticator recognizes the token’s unique code in combination with the user’s unique PIN. Software synchronizes each token with hardware at the authenticator.
— RSA SecurID token is a good example of a product providing an easy, one-step process to positively identify network and system users.
M. Mogollon 29IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
RADIUS Authentication Server • Used for Remote Authentication Dial-In User Services• Is an easy method for authentication, authorization and accounting
of dial-in users (AAA).• Relies on basic Request/Accept messaging.• Uses UDP (User Datagram Protocol).• Relies on “shared secret” for NAS authentication• Access-Request
— Sent by RADIUS client (Network Access Server - NAS)— Contains username, password and particulars such as NAS ID, port number,
access type, etc.• Password encrypted with shared secret• Access-Accept or Access-Reject
— Returned by RADIUS server— Contains list of attributes (called authorization info) used by the NAS
M. Mogollon 30IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
RADIUSClient(User)
Network Access Server
(NAS)NAS operates as a Client of Radius
RADIUS Server DatabaseList of requirements which must be met to allow access for the user.
Access-Request
Access-Request• User dials into
remote access server
• User Name• Password
(Hidden using RSA Message Digest Algorithm, MD5)
• NAS ID• Port ID
Access-Reject or Challenge
Smart Card, Software
Challenge Response
Resubmit Access-Request
Resubmit Access- Request
• Original Access- Request with the User Password Attribute replaced by the encrypted response.
1
2
3
4
5
6
7
1• NAS sends
request for RADIUS authentication and authorization.
• RADIUS checks against its user ID database, and
• Provides info to NAS whether the user is in the database or not.
72 - 4• Sends Access-
Reject or Challenge (random number)
• User enciphers Challenge with Smart Card or encryption software.
5 - 6
M. Mogollon 31IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Needham and Schroeder Authentication
1. A T: {A ¦B ¦RA}
2. T A: EKA {RA ¦ B ¦ K ¦EB(K
¦A)}3. A B: E B {K ¦A}
4. B A: E K {R B}
5. A B: E K {RB – 1}3
5
21
Trusted Entity
BA 4
M. Mogollon 32IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Kerberos Authentication Method• Internet security standard protocol RFC 1510 based on trusted third-party
centralized authentication to offer authentication services to users and servers in an open distributed environment.— Used in Windows 2000
• Relies on secret-key symmetric ciphers for encryption and authentication.• Requires trust in a third party (the Kerberos server) for authentication.
— If the server is compromised, the integrity of the whole system is lost.
• Does not use public-key encryption, therefore, does not produce digital signatures or authentication of authorship of documents.
• Version 4 still used.• Version 4 makes use of DES in Propagating Cipher Block Chaining (PCBC)• Version 5 (RFC 1510) uses any encryption algorithm. If DES is used it has to
be in CBC mode.ftp://ftp.isi.edu/in-notes/rfc1510.txt .
M. Mogollon 33IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Kerberos
• Kerberos server performs the functions of a Key Distribution Center (KDC).— Keeps the secret keys of all users.— Authenticates the identities of users and distributes session keys to users and servers.
• Application servers do not communicate with the Kerberos server.
I am Alice’s workstation and I want to use database # 1
in the application server “B”. Here is my user ID.
I believe you. Here is your ticket with your user ID, network address, and the server ID for the application server “B” you want to access.
I am Alice, and I want to use your database #1.
Here is my ticket.
I believe you, and here is your access to the database services.
Kerberos Server
ClientWorkstation
Application Server “B”
Database # 1I am Alice, and here is my password to prove
it.
Ticket is encrypted using the secret key shared by the Kerberos server and the Application server.
1
2 3
4
5
M. Mogollon 34IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Kerberos’ Abbreviations and ProtocolsC = Client S = ServerTGS = Ticket Granting Serveradddrx = x’s network addressAx = x’s authentication (name, address, and timestamp)IDx = x’s identificationKx = x’s secret keyKx,y = Session key for x and y
communicationsKx {m} = m encrypted with x’s secret keyTxy = x’s ticket to use with yTGSx = TGS used by Ctimes = beginning and ending validity time for a ticket, timestamp|| = concatenation
1
5
32
C
AS TGS
6
4
S• IDC || TGSC || time
• EKC { K C, TGS } || E KTGS
{ TC,TGS } || time
• IDS || E KTGS { TC,TGS } || E K C, TGS
{ AC }
• E K C, TGS { KC,S } || E Ks
{ TC,S }
• E Ks {TC,S} || EKC,S
{ AC }
• EKC,S { timestamp, Subkey, Seq # }
Kerberos’ ticket for x to talk with y
Tx,y = EKy { IDx, addrx, times, Kx,y }
Once per user log
on
Once per type of service
Once per service session
M. Mogollon 35IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Kerberos Encryption and Checksum
Confounder Message Padding Confounder Message Padding
Encipher
HMAC
Ciphertext Output = E (Ke, confounder || message || padding) || HMAC(Ki, confounder || message || padding)
KeKi
Encryption
Checksum Confounder Message Padding
HMACKi
Encipher
Ke Encipher
Ke
Checksum Output = E (Ke, confounder) || E [Ke, (HMAC(Ki confounder || message || padding)]
M. Mogollon 36IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Kerberos Security Concerns• Secret keys should be distributed in a secure way.• Kerberos servers have same concerns about secret-key
encryption, i.e. confidentiality and timeliness that apply to Kerberos’ secret keys.
• Kerberos servers should be located in physically secure environments with restricted physical access.
• Multiple-service-granting tickets are reusable, so an opponent may capture the ticket and use it. — Tickets should have a timestamp and a lifetime to prevent replay
attacks (Version 5).
M. Mogollon 37IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
X.509 Authentication Method• ITU-T recommendation X.509 is part of the X.500 series of
recommendations that define a directory service.• X.509 is the primary standard for certificates. It specifies not only
the format of the certificate, but also the conditions under which certificates are created and used.
• Two types of authentication are used.— Simple Authentication using passwords.— Strong Authentication using public-key crypto systems.
• Public Key Infrastructure (PKI) is based on X.509, Version 3.— Each certificate contains the public key of a user and is signed with the
private key of a CA.— RSA is recommended for use in X.509.
• X.509 is used in S/MIME, IP Security, TLS/SSL and SET.
M. Mogollon 38IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
X.509 – Simple Authentication
1. Alice sends her ID and password to Bob;
2. Bob sends Alice’s ID and password to the Directory, where the password is checked against the information held for Alice.
3. The Directory confirms (or denies) to Bob that the credentials are valid.
4. The success (or failure) of authentication may be conveyed to Alice.
1
4
32
Directory
BA
The password is sent in cleartext
M. Mogollon 39IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
X.509 – Simple Protected Authentication
• Using a one-way function, Alice creates a hash of her ID, password, time stamp and a random number.
• Alice sends in clear her ID, time stamp and random number. The time stamp and/or random number (when used) is used to minimize replay and to conceal the password.
• Bob generates Alice’s hash by using Alice’s ID and optional time stamp and/or random number, together with the Directory’s local copy of Alice’s password.
• Bob compares Alice’s hash with the locally generated hash value.
ID, Password,
Time Stamp, and Random
Number
Hash
One-Way Function
One-Way Function
Hash
Compare
Alice’s Password from Directory
Transmit
Alice
ID, Time Stamp, and
Random Number
Alice
Hash
ID, Time Stamp, and
Random Number
Bob
M. Mogollon 40IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
X.509 – One-way Strong Authentication
Non-repeating number rA
Using Bob’s
Public Key
Alice
Bob
Time Stamp tA
Alice’s Digital Signature sgnData
Secret Key [encData]
Bob’s ID IDB
Authentication Message
Encipher
Alice’s Certificate and
path to CA
Enciphered, and signed
authentication message
Using Alice’s Private
Key
Encipher
Alice’s public key and info
CA’sPublic Key
Alice’s CA
Decipher Using CA’s Public Key
DecipherUsing Alice’s
Public Key
rA , tA, IDB ,
Bp[encData]
DecipherUsing Bob’s Private Key
Secret Key [encData]
Bob checks if Alice’s certificate has expired.
Bob• Checks that Alice’s
non-repeating number has not been replayed.
• Checks that Alice’s time stamp is current.
• Verifies that Bob himself is the intended recipient.
Bp[encData]
M. Mogollon 41IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Non-repeating number rB
Using Alice’s Public Key
Bob
Alice
Time Stamp tB
Bob’s Digital Signature sgnData
Secret Key [encData]
Alice’s ID IDA
Authentication Message
Encipher
Bob’s Certificate
Enciphered, and signed
authentication message
Using Bob’s
Private Key
Encipher
Bob’s public key and info
CA’sPublic Key
Bob’s CA
DecipherUsing CA’s Public Key
DecipherUsing Bob’s
Public Key
rB , tB, IDA ,
Bp[encData]
Decipher Using Alice’s Private Key
Secret Key [encData]
Alice checks if Bob’s certificate has expired.
Alice• Checks that Bob’s
non-repeating number has not been replayed.
• Checks that Bob’s time stamp is current.
• Verifies that Alice herself is the intended recipient.
Ap[encData]
X.509 – Two-way Strong Authentication
M. Mogollon 42IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Key Length Equivalent Strengths
15360
7680
3072
2048
1024
Diffie-Hellman and RSA
Modulus Size
512641024SHA-512AES-512256
384641024SHA-384AES-256192
25632512SHA-256AES-128128
22432512SHA-13DES112
16032512SHA-1SKIPJACK80
ECCWord Size (Bits)
Block Size (Bits)
Hash Algorithm
Symmetric Encryption Algorithm
Security (Bits)
M. Mogollon 43IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
To Probe Further• Public-Key Infrastructure (X.509) (PKIX) Charter. Links to many X.509 RFP web sites.
http://www.ietf.org/html.charters/pkix-charter.html• Directories and X.500: An Introduction, Information Technology Services, National
Library of Canada. Retrieved August 20, 2002 from http://www.nlc-bnc.ca/9/1/p1-244-e.html
• RFC 2865 Remote Authentication Dial-in User Service (RADIUS) describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server that desires to authenticate its links and a RADIUS Server. http://www.ietf.org/rfc/rfc2865.txt?number=2865
• Password Management Guideline, CSC-STD-002-85 http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html
• One-Time Password System RFC 2289. IETF. http://www.ietf.org/rfc/rfc2289.txt?number=2289
• The Kerberos Network Authentication Service (V5). RFC 1510. IETF. http://www.ietf.org/rfc/rfc1510.txt?number=1510
• Extensible Authentication Protocol RFC 2284 • Mishra, Arunesh, and William Arbaugh. (2001) "An Initial Security Analysis of the
IEEE 802.1X Security Standard. Paper available from http://www.cs.umd.edu/~waa/1x.pdf
M. Mogollon 44IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
To Probe Further• Needham R. M., M. D. Schroeder, Using Encryption for Authentication in Large
Networks of Computers Communications of the ACM, Vol. 21 (12), pp. 993-99.
M. Mogollon 45IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
802.1X Ethernet Packet
Dest. MAC0180C200000F
Type8180
ProtocolVersion
01
PacketType
6 bytes 6 bytes 2 bytes 1 byte
SourceMAC
1 byte
PacketBody
Length
2 bytes
PacketBody
n bytes
00 EAP-Packet01 EAPOL-Start *02 EAPOL-Logoff *03 EAPOL-Key04 EAPOL-Encapsulated-ASF-Alert
Code Identifier Length Data
1 byte 1 byte 2 bytes n bytes
DescriptorType
KeyLength
ReplayCounter Key IV
1 bytes 2 bytes 8 bytes 16 bytesKey
IndexKey
Signature Key
1 bytes n bytes16 bytes
* No Packet Body Field
1 Request2 Response3 Success4 Failure
EAP Payload (EAP-TLS, EAP-TTLS, EAP PEAP)
Packet Body Field
Nonce
32 bytes
M. Mogollon 46IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
VPN Applications:Extranets and Remote Access
Internet
Tunnel Mode
Security Policy Server
Laptop with VPN and MCS Client Software
VPN Gateway
Nortel’s Protected Intranet
Router
VoIP and data packets are enciphered between the
laptop and the VPN Gateway
M. Mogollon 47IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
EAP Authentication Process
Authentication Server
Radius, Kerberos, PKI, OTP, Token
Password Authentication Database
Token Authentication Database
X.509 Directory
Kerberos Ticket Granting Server
EAP over Ethernet
EAP Method
AuthenticatorIP Phone User Authentication
M. Mogollon 48IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
VoIP VPN Tunnel using IPSec
Router
IP PhoneRouter
Internet,IPWAN
IP Phone
VPN Tunnel
M. Mogollon 49IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
VoIP using TLS (SSL)
Shared Master Secret Key Shared Master Secret Key
Use Diffie-Hellman Public Key Exchange Algorithm to negotiate a key
AES
Cleartext Block
Ciphertext Block
Ciphertext Block
IV + +
AES
Master Shared
Secret Key
Cleartext Block
AES
Cleartext Block
Ciphertext Block
Ciphertext Block
IV+ +
AES
Cleartext Block
Master Shared
Secret KeyUse AES to encipher and decipher a secure TLS (SSL) VoIP phone call.
Encipher Decipher
The negotiated secret key is used to encipher all IP voice packets during the the phone call.
M. Mogollon 50IEEE 802.1X EAP Methods Passwords Radius Kerberos X.509
Extensible Authentication Protocol
Radius Access Request
Radius Access Challenge
Radius Access Accepted
EAP Request Identity
EAP Response
EAPOL Start
EAP Response IdentityRadius Access Request
Client (Peer, Supplicant) Authenticator Authentication
Server (Radius)
EAP Request
EAPOL Success