ITA, 14.11.2011, 10-IAM.pptx 1

Internet Security 1 (IntSi1)

Prof. Dr. Peter HeinzmannProf. Dr. Andreas Steffen

Dr. Nathalie Weiler*

Institute for Internet Technologies and Applications (ITA)

10 Identity and AccessManagement (IAM)

* 2002-2004 Zürcher Hochschule Winterthur, currently with Credit Suisse

ITA, 14.11.2011, 10-IAM.pptx 2

Controlled Access is needed to ...

• One Computer (Sign-On, Logon)

• Many Computers (Single Sign-On, SSO)

• Applications (Telnet, Secure Shell, ftp, library catalog)

• Mailbox (POP3, IMAP)

• Web-Editing (FrontPage)

• Web-Pages (.htaccess)

• ....

• Rooms, areas, ...

ITA, 14.11.2011, 10-IAM.pptx 3

2. Authorization (Access)

3. Accounting

Username:

Password:

Authentication, Authorization, Accounting (AAA)

User

0. Identificatio

nI am: "Username"

asteffen

1. AuthenticationProve, that I am

"Username"

********

ITA, 14.11.2011, 10-IAM.pptx 4

Internet Security 1 (IntSi1)

10.1 Basic Authentication Schemes

ITA, 14.11.2011, 10-IAM.pptx 5

Authentication is based on ...

• What you know (password, PIN, shared secret)• ask for something only the authorized user knows

Username:

aznHu4UmPassword:

asteffen

FaceIris/Retina Scanning

Fingerprint Voice

• What you have (Certificate, Token, Scratch List)• test for the presence of something only the authorized user

has

• What you are (biological pattern, e.g. fingerprint)• non-forgeable biological or behavioral characteristics of the

user

01 Z4GH 06 IKDX02 67TS 07 9PL703 UR2A 08 NFLB04 TIQV 09 K91D05 3Z5P 10 HA85

ITA, 14.11.2011, 10-IAM.pptx 6

asteffenUsername:

********Password:

localDomain:

Username PW-Hash

Password-File

PW-Hash

H(PW)One-Way Function

Username Password

WinXP: \WINDOWS\system32\config\SAM

SAM = Security Account Manager (permanent file lock)

Unix: /etc/passwd (User IDs)/etc/shadow (Password

Hashes)

Local Windows/Unix Logon Process

ITA, 14.11.2011, 10-IAM.pptx 7

NT and LANmanager Password Schemes

NTLM Password HashHash function: MD4

LM Password HashesHash function: DES

14 characters with 14 Bit per character (Unicode characters)

Two times 7 characters with 8 Bit per character,capital characters only

16 bytes NTLM Hash first 8 bytes of LM hash (Characters 1 .. 7)

second 8 bytes of LM hash (Characters 8 .. 14)

= 0xAAD3B435B51404EE

if password has lessthan 8 characters

ITA, 14.11.2011, 10-IAM.pptx 8

Offline Attacks on LM & NTLM Hashes

ITA, 14.11.2011, 10-IAM.pptx 9tpw:$1$Or6ur$eUbm5V2.meW3v7xkBtA77.:

/etc/shadowPassword File IDID PasswordPassword

Unix Password Schemes

PasswordPassword SaltSalt

DES Hash FunctionDES Hash Function

HashHash

HashHash

DES Hash FunctionDES Hash Function

User

IDID PasswordPassword

• Salt helps against precomputed tables.UNIX uses 12 bits of salt, resulting in 4096 hashed password variants.

• Optional MD5 hash allows passwords and passphrases > 8 characters.

SaltSalt

SaltSaltIDID PasswordPassword

Host

andi:zM0qKKIURkwh.:12739:0:99999:7:0::

ITA, 14.11.2011, 10-IAM.pptx 10

Typical Attacks on Passwords

• Social engineering• Password guessing

• Check for „well known“ passwords

• Password cracking (systematic password trying)• Dictionary attack based on word lists (several languages,

LOTR, etc.)• Words with permutations and some special characters (rules)• Exhaustive search (brute force)• Precomputed Tables (Rainbow)• Tools: Cain & Abel, John the Ripper

• Password sniffing• Sniffing and setting triggers (e.g. on „login“ or „password“)

• Keystroke monitoring• TTY watcher, keystroke recorder (HW/SW)• Trojan horse „faked login screen“• Phishing (Redirection to malicious host)

ITA, 14.11.2011, 10-IAM.pptx 11

Internet Security 1 (IntSi1)

10.2 Challenge / ResponseProtocols

ITA, 14.11.2011, 10-IAM.pptx 12

Secure Authentication based onChallenge/Response Protocols

Insecure ChannelUser Server

Keyed Hash Function

Keyed Hash Function

MACMAC

IDUIDU RU

RU

KeyKey

RURUIDU

IDU IDUIDU RU

RU

Response

MACMAC

• No secrets are openly transmitted

• The random valuesRS and RU must notbe repeated !

RSRS

KeyKey Keyed Hash Function

Keyed Hash Function

MACMAC

RSRSRS

RS

Challengerandom value

(Nonce)

ITA, 14.11.2011, 10-IAM.pptx 13

Challenge/Response Protocol based onDigital Signatures

Insecure ChannelUser Server

RSRSRS

RS

Challengerandom value

(Nonce)IDUIDU RU

RU

HashHash

SigSig

Encryption withPrivate Key

Encryption withPrivate Key

RSRS

HashHash

IDUIDU RU

RU

Response

SigSig

IDUIDU RU

RU

Decryption withPublic Key

Decryption withPublic Key

HashHash

ITA, 14.11.2011, 10-IAM.pptx 14

Internet Security 1 (IntSi1)

10.3 Windows NT LAN Manager NTLM

ITA, 14.11.2011, 10-IAM.pptx 15

Windows Domain Authentication

• A Domain is a collection of Services (Email, File-Shares, Printers, ...) administered by a Domain Controller (DC).

• Centralized Administration:• Each user has only one account per Domain managed by the Domain

Controller.• Thus there is no need for individual Server accounts.

• Flexibility:• Assignment of Users to Groups• Multiple Domains possible (Master-Domains, Trust Relationships)

• All users and servers must trust the Domain Controller.

User A

PrinterServer 1

Server 3 Server 2User B

DomainController (DC)

Domain

ITA, 14.11.2011, 10-IAM.pptx 16

NTLM – Protocol

• Windows NT LAN Manager is a proprietary Microsoft scheme.

• Typical example of a Challenge-Response protocol.

User Alice Server DomainController (DC)

Domain: WonderlandUsername: AlicePassword: 2Uh7&

Alice

51ff1d83

f68ba0537 OK

H: Hash functionE(x, k): Encryption of x with key k

H(2Uh7&) = KeyA

E(f68ba0537, KeyA) = 51ff1d83

User Alice: KeyA

Alice, f68ba0537, 51ff1d83

Challenge: f68ba0537 E(f68ba0537, KeyA) = 51ff1d83Comparison with 51ff1d83 – ok?

ITA, 14.11.2011, 10-IAM.pptx 17

NTLM Security Analysis

• User key is known to the user and DC only• The user key is derived from the user's login password.

• Only the entitled user can correctly encrypt the challenge.• Non-recurring challenge values (nonces) prevent replay-

attacks.• Pros:

• Password is never transmitted in the clear.• Simple and secure protocol if strong user passwords are used.

• Cons:• The authentication process must be repeated for every use of

a server DC can become a bottleneck.• Weak or short NTLM passwords can be cracked offline with a

dictionary or brute force attack.

ITA, 14.11.2011, 10-IAM.pptx 18

Internet Security 1 (IntSi1)

10.4 KerberosKey Distribution System

ITA, 14.11.2011, 10-IAM.pptx 19

Historical Background

• Developed in 1983 as part of MIT's Athena project.

• Motivation:• Many MIT students „sniffed“ the network and thus got hold of

root passwords which they used to reboot the servers.

• Requirements:• Authentication in UNIX-based TCP/IP networks• Use of symmetrical cryptography (DES)

• Characteristics:• Relies on the mediation services of a trusted referee or

notary. • Based on the work by Needham and Schroeder on trusted

third-party protocols as well as Denning and Sacco's modifications of these.

• Kerberos Releases• Current release is Kerberos v5 (RFC 1510, September 1993).• V5 supports additional encryption ciphers besides DES.

ITA, 14.11.2011, 10-IAM.pptx 20

Alice

BobJack

Jip

Mary

Paul

Peter Harry

Dick

Tom

Kbob Kalice

KDC

Mediated Authentication by means of aKey Distribution Center (KDC)

ITA, 14.11.2011, 10-IAM.pptx 21

Kerberos Tickets

• Each Kerberos participant (Alice, Bob, etc.) – called a Principal – shares a common secret with the Key Distribution Center (KDC) – the Principal’s Master Key.

• Each secured communication or secured access is "mediated"by means of a Kerberos Ticket.

How is Alice going to talk to Bob?

ITA, 14.11.2011, 10-IAM.pptx 22

User Alice KDC

Server Bob

H(2Uh7&) = MKeyA

E(time, MKeyA) = a5F113de

Simplified Kerberos Protocol

H: Hash functionE(x, k): Encryption of x with key kD(x, k): Decryption of x with key k

Realm: WonderlandUsername: AlicePassword: 2Uh7&

Alice, Bob, a5F113de

User Alice: MKeyA

Server Bob: MKeyB

9abc571a, Ticket

D(a5F113de, MKeyA) = time, valid?Session key Alice-Bob: SAB

E(SAB, MKeyA) = 9abc571aE({ Alice, SAB }, MKeyB) = Ticket

D(9abc571a, MKeyA) = SAB

E({ Alice, time }, SAB) = 5cc10981

5cc10981, Ticket

MKeyB

D(Ticket, MKeyB) = { Alice, SAB }D(5cc10981, SAB) = { Alice, time } correct?

ITA, 14.11.2011, 10-IAM.pptx 23

User Alice KDC

H(2Uh7&) = MKeyA

E(time, MKeyA) = a5F113de

Kerberos Protocol – Authentication ServiceSession Key and Ticket-Granting Ticket (TGT)

Realm: WonderlandUsername: AlicePassword: 2Uh7&

AS_REQ [Alice, a5F113de]

User Alice: MKeyA

Server Bob: MKeyB

AS_REP [27LnZ8vU]

D(a5F113de, MKeyA) = time, valid?Session key for Alice: SA

E({ Alice, SA }, MKeyKDC) = TGTA E({ SA, TGTA }, MKeyA) = 27LnZ8vUD(27LnZ8vU, MKeyA) = { SA, TGTA }

H: Hash functionE(x, k): Encryption of x with key kD(x, k): Decryption of x with key k

ITA, 14.11.2011, 10-IAM.pptx 24

User Alice KDC

E({ Alice, time }, SA) = qR71htp9

Kerberos Protocol – Ticket Granting ServiceRequesting a ticket for accessing server Bob

TGS_REQ [Bob, TGTA, qR71htp9]Server Bob: MKeyB

TGS_REP [b22sYG1k]

D(TGTA, MKeyKDC) = { Alice, SA } D(qR71htp9, SA) = { Alice, time }, valid?Session key for Alice-Bob: SAB

E({ Alice, SAB }, MKeyB) = TAB

E({ SAB, TAB }, SA) = b22sYG1k

D(b22sYG1k, SA) = { SAB, TAB }

H: Hash functionE(x, k): Encryption of x with key kD(x, k): Decryption of x with key k

Session Key: SA

Ticket: TGTA

ITA, 14.11.2011, 10-IAM.pptx 25

User Alice Server Bob

Kerberos Protocol – Client/Server AuthenticationAccessing server Bob

H: Hash functionE(x, k): Encryption of x with key kD(x, k): Decryption of x with key k

E({ Alice, timeA }, SAB) = w86EQa55

MKeyB

Session Key: SAB

Ticket: TAB

AP_REQ [TAB, w86EQa55]

AP_REP [4tMJs73c]

D(TAB, MKeyB) = { Alice, SAB } D(w86EQa55, SAB) = { Alice, time }, valid?E({ Bob, timeB }, SAB) = 4tMJx73cD(4tMJx73c, SAB) = { Bob, timeB }, valid?

ITA, 14.11.2011, 10-IAM.pptx 26

{db; MKeyKDC}

Realm

KDC Replication

MasterKDC

SlaveKDC

Host

SlaveKDC

SlaveKDC

SlaveKDC

SlaveKDC

Host

HostHost

Host

Host

Host

Host

Host

Host

Host

Host Host

Host

Host

Host

Host

Host

HostHostHost

HostHostHost

Host

Host

Host

Host Host

ITA, 14.11.2011, 10-IAM.pptx 27

Inter-Realm Authentication

Alice

Wonderland

KDC

LionsKDC

2. TGS_REP[credentials for Lions KDC]

Carol

4. TGS_REP[credentials for Carol@Lions]

1. TGS_REQ[Alice@Wonderland, Carol@Lions]

3. TGS_REQ[Alice@Wonderland, Carol@Lions]

5. AP_REQ[Alice, KA{KBA, “Alice”,...}]

RealmWonderland

RealmLions

ITA, 14.11.2011, 10-IAM.pptx 28

Summary

KerberosAuthenticati

on

TicketGrantingService

Client Server

1. authenticate user 2. access control for server

3. communication

ITA, 14.11.2011, 10-IAM.pptx 29

Internet Security 1 (IntSi1)

10.5 Single Sign-On

ITA, 14.11.2011, 10-IAM.pptx 30

Single Sign-On (SSO)

• 80% of helpdesk calls are password-related. Single sign-on systems could enable a company to reduce its helpdesk by 40% savings of nearly $4.4 million for company with 20'000 users.Forrester Research

ITA, 14.11.2011, 10-IAM.pptx 31

Workflow-Based User Provisioning

ITA, 14.11.2011, 10-IAM.pptx 32

Example: Novell Identity Manager

ITA, 14.11.2011, 10-IAM.pptx 33

Synchronized Data View using a Meta-Directory

ITA, 14.11.2011, 10-IAM.pptx 34

Meta Directories

Meta Directory

LDAP

Sync

Flat File

Sync

DB

Sync

• Meta directories contain information replicated from varioussource directories.

• Constant synchronization with the source directories guarantees the consistency between original and copy.

CustomizedConnectors

Standardized,consistent view

ITA, 14.11.2011, 10-IAM.pptx 35

Virtual Directories

• Virtual directories provide access to the existing data sources without moving the data out of the original repository.

• Virtual directories act as a proxy between an LDAP server and a client. Configurable modules allow data to be manipulated during the transfer.

LDAPBrokerAgent

LDAPBrokerAgent

Modified LDAP

requestLDAP request

Modified LDAP

response

LDAP response

ClientLDAP

ServerVirtual Directory

ITA, 14.11.2011, 10-IAM.pptx 36

Identity and Access Management (IAM)

• Enterprise Information Architecture• Identify key business processes and determine the applications,

information assets and transactions critical to meeting its business goals.

• Define which users need what resources and at what level of security.

• Permission and Policy Management• Establish and enforce policies governing the access control rights

of users. Single sign-on (SSO) procedures facilitate the access to all applications a user is entitled to use.

• Entreprise Directory Services• Use the Lightweight Directory Access Protocol (LDAP) to access

an organization's central repository of user identies and access privileges,as well as applications, information, network resources and more.

• User Authentication• The use of a Public key infrastructure (PKI) is the preferred

mechanism.

• Workflow-Based User Provisioning• Provisioning deploys access rights for employees, customers and

business partners. Automated workflow systems reduce tedious manual tasks.