is 302: information security and trust week 9: user authentication (part ii) and introduction to...
TRANSCRIPT
IS 302: Information Security and TrustWeek 9: User Authentication (part II) and
Introduction to Internet Security
2012
© Yingjiu Li 2007 2
Review
• Review of weak pwd authentication• Unix pwd• Windows password (LM and NT hashes)• Attacks (dictionary and brute-force)
© Yingjiu Li 2007 3
Strong Password Authentication
I. Lamport scheme
II. Challenge response
III. Time stamp
• To address eavesdropping and replay attacks in communications
© Yingjiu Li 2007 4
I. Lamport Scheme
• Registration phase– H: one way hash function– Bob: choose a secret s; compute and send
w0=H^100(s) to Alice in a secure manner
Bob Alice
Mallory
s
H^100(s)
Bob, w0=H^100(s)
© Yingjiu Li 2007 5
Lamport scheme: first-time authentication
– Bob sends one-time password w1=H^99(s) to Alice
– Alice authenticates Bob by checking if H(w1)=w0
– If match, Alice replaces w0 with w1=H^99(s)
Bob Alice
Mallory
s
w1=H^99(s)
Bob, w0=H^100(s)
© Yingjiu Li 2007 6
Lamport scheme: second time authentication
– Bob sends one-time password w2=H^98(s) to Alice
• Alice authenticates Bob by checking if H(w2)=w1
• If match, Alice replaces w1 with w2=H^98(s)
Bob Alice
Mallory
s
w2=H^98(s)
Bob, w1=H^99(s)
© Yingjiu Li 2007 7
Discussion
• Why is Lamport scheme secure against eavesdropping and replay attacks?
• How many times can Alice authenticate Bob in Lamport scheme? After that?
© Yingjiu Li 2007 8
II. Challenge Response Scheme• Alice and Bob share a pwd or pwd hash S• Upon receiving Bob’s id and authentication
request, Alice sends Bob a non-repeating challenge C
• Bob responses with R=E(S,C) or H(S,C)
Bob Alice
Mallory
Bob id
S SNon-repeating challenge C
Response R=E(S,C) or H(S,C)
© Yingjiu Li 2007 9
Discussion• Why is challenge response scheme secure
against eavesdropping and replay attacks?• What is the difference between challenge
response scheme and Lamport’s scheme?
© Yingjiu Li 2007 10
Case Study: MS Authentication Protocol (NTLM)
• Windows 2000, NT, XP, Vista, Windows 7
client serverType 1 msg: a set of flags(enc key sizes, req for mutual auth)
client serverType 2 msg: a set of flags +random challenge (8 bytes)
client serverType 3 msg: server response = MD4/MD5 hashing or DES enc(server challenge + client pwd hash)
© Yingjiu Li 2007 11
NTLMv1 and NTLMv2• LM-hash of pw: 16 bytes (DES+DES)• NT-hash of pw: 16 bytes (MD4)
• C= 8-byte server challenge, random• K1 | K2 | K3 = NT-hash | 5 bytes-0• R1 = DES(K1,C) | DES(K2,C) | DES(K3,C)• K1 | K2 | K3 = LM-hash | 5 bytes-0• R2 = DES(K1,C) | DES(K2,C) | DES(K3,C)• Response = R1 | R2
• CS= 8-byte server challenge, random• CC=8-byte client challenge, random• CC* =8-byte client information (X, time, CC, domain name)• v2-Hash = HMAC-MD5(NT-hash, user name, domain name)• LMv2 = HMAC-MD5(v2-hash, CS, CC)• NTv2=HMAC-MD5(v2-hash, CS, CC*)• Response = LMv2 | CC | NTv2 | CC*
© Yingjiu Li 2007 12
III. Time Stamp Scheme
• Alice and Bob keep synchronized clocks– Time T is used as one-time “challenge”– Bob sends Alice his id, and R=E(S,T) or H(S,T)– Alice verifies R=? E(S,T) or H(S,T) on Bob’s
pwd (or pwd hash) S and her current time T
BobAlice
Mallory
Bob id, R=E(S,T) or H(S,T)
S S
© Yingjiu Li 2007 13
Discussion
• Why is time stamp secure against eavesdropping and replay attacks?
• How do you compare time stamp scheme with challenge response scheme and Lamport scheme?
© Yingjiu Li 2007 14
Break
© Yingjiu Li 2007 15
Introduction to Internet Security
I. Secure Socket Layer (SSL)
II. Firewall (FW)
III. Intrusion Detection System (IDS)
© Yingjiu Li 2007 16
I. SSLSecure socket layer (SSL) or transport layer security
(TLS)• Secure communications between clients and
server in internet• TCP SSL web applications
Application protocol SMTP,HTTP,FTP…
TCP IP
Network Interface
TCP/IP Protocol Stack
SSL
© Yingjiu Li 2007 17
SSL functionalities– Server authentication with certificate– Optional client authentication– Encrypted channel between server and client
© Yingjiu Li 2007 18
SSL HandShake Protocol
Web client
Web server
1.SSL Request
2.Server public key certificate
3. random number R encrypted using server public key
4. Both compute session key based on R and switch to encrypted tunnel (https)
© Yingjiu Li 2007 19
Typical Applications with SSL
• E-commerce
• VPN
© Yingjiu Li 2007 20
II. FW
• Filter and audit traffic between internal and external network
• Prevent unauthorized access to a private network
Internal network
External networkFirewall
© Yingjiu Li 2007 21
FW Policies• Close policy: Default deny, allow (white list)
firewall (p: packet) {
if (allow(p)) forward(p);
else drop(p);
}
• Open policy: Default permit, deny (black list) firewall (p: packet) {
if (deny(p)) drop(p);
else forward(p);
}
© Yingjiu Li 2007 22
Close Policy Example boolean allow(packet p){ if (match(p.srcIP, 202.161.*.*) and
match (p.dstPort, 25)) return true; elseif (match(p.srcIP, 202.161.*.*) and
match (p.dstPort, 80)) return true; else return false; }
© Yingjiu Li 2007 23
Open Policy Example boolean deny(packet p){ if (match(p.srcIP, 137.132.*.*) and
match (p.dstPort, 25)) return true; elseif (match(p.srcIP, 155.69.*.*) and
match (p.dstPort, 80)) return true; else return false; }
© Yingjiu Li 2007 24
Windows FW– start cmd firewall.cpl advanced
settings• Inbound rules
• Outbound rules
© Yingjiu Li 2007 25
Limitation of FW
Internal network
External networkFirewall
© Yingjiu Li 2007 26
III. Intrusion Detection System (IDS)
• IDS should alert an attack in progress – With high accuracy– In real time manner– With complete diagnosis– With effective recommendations on how to
react
© Yingjiu Li 2007 27
Accuracy of IDS
• False positive (alarm) rate– #false-alerts/#alerts
• False negative (miss) rate– #missed-attacks/#attacks
© Yingjiu Li 2007 28
Signature-Based Vs Anomaly-Based• Signature based IDS
– Signature: DB of known attack patterns
– IDS reports situations that match signatures
– Good: Low false alarm rates, instantaneous detection
– Bad: Cannot detect new attacks
• Anomaly based IDS– Profile: model of normal
behaviors
– IDS reports situations that deviate from profiles
– Good: Can detect some new attacks
– Bad: High false alarm rates, high complexity
© Yingjiu Li 2007 INFT 865 Ravi Sandhu 2000 29
Why false alarm rate is high in anomaly-based detection
• Analogy– Test for a disease is 99% accurate
• 100 disease-free people tested, 99 test negative• 100 diseased people tested, 99 test positive
– Prevalence of disease is 1 in 10,000– Alice tests positive– What is probability Alice has the disease? 1 in 101 (101=1*99%+9,999*1%)– False alarm rate: 100 in 101 99%
• Now assume that test is 99.98% accurate– What is the false alarm rate?
© Yingjiu Li 2007 30
IDS Summary• Advantages
– Complement firewall
– Continues to improve
• Disadvantages– False alarms
– Miss some new attacks
– Require security personnel to handle alarms and monitor track records
© Yingjiu Li 2007 31
Review• How long is NTLM (v1) response message?
1. 64 bits2. 128 bits3. 384 bits
• Which of the following must have a cert in SSL?1. Client2. Server3. Both
• To detect new attacks, you need to choose1. Firewall2. Signature-based IDS3. Anomaly-based IDS