Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Authentication, Authorization, and Accounting Mike Scher Director of Labs Neohapsis, Inc.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Authentication, Authorization, and Accounting Mike Scher Director of Labs Neohapsis, Inc."— Presentation transcript:

1 1 Authentication, Authorization, and Accounting Mike Scher Director of Labs Neohapsis, Inc

2 2 Or, Who, What, How, When, and Where Tech 102

3 3 Neohapsis 101 - Who we are and what we do Information Security Consultancy with an emphasis on R&D and QA/QC Network Computing Magazine's Chicago Lab Producers of the SANS Security Alert Consensus Newsletter (SAC)

4 4 101 Recap The Internet is “Packet-switched” To/From numeric “IP” Addresses go on all packets of information Domain names help users remember systems and networks, but map to IP addresses Packets travel through several “hops” of routers along the way Many systems automatically log information about usage (client and server may both retain logs or copies of data) Trap and trace can pick up IP addresses of users accessing systems

5 5 “AAA” What is Authentication? –How does it work? –How can it fail? What is Accounting? –How does it depend on Authentication? –What is its utility? What is Authorization? –How does it depend on Authentication? –Where and how do authorization systems work?

6 6 Overview: Encryption What it is and what it isn’t General Kinds of Encryption How and Where Encryption is: Used Misused Abused

7 7 Encryption (cont.) Kinds of Crypto, generally –Symmetric (e.g., shared secret key) The key used to encrypt (lock) is the same as the key used to decrypt (unlock) DES, Triple-DES (3DES), AES, IDEA, Blowfish, Twofish –Asymmetric (e.g., public key) A key different from the key used to encrypt (lock) is used to decrypt (unlock) In public key cryptography, the key used to encrypt can be published widely with no negative impact on the security Lockbox example

8 8 Encryption (cont.) Where is crypto used? –Asymmetric “Secure” web pages (SSL) – public key is called a “certificate” PGP (“Pretty good privacy”) – widely used public key system –Symmetric “Secure” web pages (SSL) – after the session is set up with the public key, a secret key is exchanged and the session streams using a symmetric algorithm PGP (“Pretty good privacy”) – widely used public key system To “one-way encrypt” (hash) passwords in a password file Most file and disk encryption programs

9 9 Encryption (cont.) Asymmetric Encryption with Public Key Cryptography –A uses B’s PUBLIC key to send to B –B uses B’s PRIVATE key to read it –B uses A’s PUBLIC key to respond

10 10 Encryption (cont.) Where is crypto misused? –Weak crypto used to “protect” sensitive communications –Poorly implemented cryptography Keys stored where they can be retrieved, stolen, snooped Strong cryptography in a shoddy application Strong cryptographic algorithm with poorly generated key

11 11 Encryption (cont.) Where is crypto abused? –Marketing! “Proprietary” encryption algorithms –Even if they are “patented” and “unbreakable,” too –No public review = low chance of real security One-time Pads –True that, properly done, they are extremely strong –Manageability and limited utility makes them almost useless for real-world applications outside espionage arenas –“Throwaway” crypto Mere obfuscation passed off as encryption Clever people reinventing the wheel… and the problems

12 12 Authentication User identification –Who do you claim to be? –Note the use of the term claim –Examples: a userid:“jsmither” a name:“Joshua Smither” a SS#:111-11-1111 An e-mail address: jsmither@example.com –Not always unique, even on the system

13 13 Authentication (cont.) User identification + Something else = –Reasonable association of the person with the ID presented –Why “reasonable”? All access controls can be defeated Many can be “spoofed” Reasonability depends (ideally) on a risk analysis What does the ID guard?

14 14 Authentication (cont.) PLUS Something else (How can I reasonably assume you are who you claim to be?) –Password –Digital Certificate –“One-time” password (e.g., tokens) –Biometric –ANI –Physical locality (including IP address) –Combination of above

15 15 Passwords Passwords: –Can be “weak” or “strong” (vs. guessing or “cracking”) Weak:mouser1 (guessable) r!verb3d (crackable) Strong:9i63vDvKHp41b –Problem with passwords: When they are memorable, they are weak When they are strong, they are unmanageable People almost always either pick weak passwords or they record their passwords someplace handy (perhaps protected by a single password)

16 16 Digital Certificates Digital Certificate –Based on the huge, unpredictable product of two very large, prime numbers –Public/Private Key encryption A uses B’s PUBLIC key to send to B B uses B’s PRIVATE key to read it B uses A’s PUBLIC key to respond

17 17 Digital Certificates (cont.) -----BEGIN CERTIFICATE----- MIIDxDCCAy2gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCVVMx ETAP5thsbAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMRIwEAYDVQQKEwlO ZW9oYXBzaXMxFzAVBgNVBAsTDk5lb2hhcHNpcyBMYWJzMRkwFwYDVQQDExBjYS5u ZW9oYXBzaXMuY29tMScwJQYJKoZIhvcNAQkBFhhob3N0bWFzdGVyQG5lb2hhcHNp cy5jb20wHhcNMDExMTE2MDA0MTA0W7hdtyExMTE0MDA0MTA0WjCBozELMAkGA1UE BhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMRIwEAYD VQQKEwlOZW9oYXBzaXMxFzpol91VBAsTDk5lb2hhcHNpcyBMYWJzMRkwFwYDVQQD ExBjYS5uZW9oYXBzaXMuY29tMScwJQYJKoZIhvcNAQkBFhhob3N0bWFzdGVyQG5l b2hhcHNpcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANn6Cz0ypg/m dAjEqiGA2A/e++ffpuk69akqCIdfkjC6YtG/DKIgR8M7pjPldUPWaJxPZbnjTprx OJylGLGl8n7RpqCi3ZM7MCi5VJ66B/ImxCAXhLnE0FJV/i3ONlwEQq5/voYwvv4z JL0+H2IMMvC1iltw8shH1ZqhUSXyIlIhAgMBAAGjggEEMIIBADAdBgNVHQ4EFgQU r9QFcUHlpDEMt8/8MmAjtu+/Z8cwgdAGA1UdIwSByDCBxYAUr9QFcUHlpDEMt8/8 Mm8jtu+/Z8ehgamkgaYwgaMxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9p czEQMA4GA1UEBxMHQ2hpY2FnbzESMBAGA1UEChMJTmVvaGFwc2lzMRcwFQYDVQQL Ew5OZW9oYXBzaXMgTGFiczEZMBcGA1UEAxMQY2EubmVvaGFwc2lzLmNvbTEnMCUG CSqGSIb3DQ87bd3YaG9zdGwta52lckBupl81wXBzaXMuY29tggEAMAwGA1UdEwQF MAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdQ+FklXZfla9kehgwJmiIqGfwVOzVDdP 3IKIuRjGIOO3vYY0oKUWVWDF943MPqugCjx7pIcqezmkRxOIn+pjC3EnOC4H7HNo JAX9avjxH9Wj39M+7y0OS8b471mIxBi3E5BVaMDCHmLbM3+4XQDd8rZZHGn/RWBM UOYJ8wNhMPs= -----END CERTIFICATE-----

18 18 Tokens and Smart Cards Tokens (“One-Time Passwords”) –Brands: SecurID Axent (Symantec) Defender SecureComputing Safeword Cryptocard Smartcards –“Memory” Smart Cards strore information (such as a Digital Certificate) –‘True” Smart Cards do the math internally

19 19 Biometrics Familiar territory in forensics work The goal is, ultimately, to do what we do in “real life” – to recognize the person Convergence (accuracy of readers) remains a critical issue with fairly high false negatives and some disturbing false positive numbers in recent testing

20 20 Locality Door-mounted card readers, hand-print readers, keypads, etc. Car door PIN locks Keys in locks ANI (“Automatic Number Identification”) Secure terminals in secure locations IP addresses (in some cases)

21 21 Logs (audit trails) and Authentication System logs of “who was on what system when” depend on Authentication credentials of the user Authentication credentials are often combined for greater assurance –password + biometric + locality –token(one-time password) + password + locality

22 22 Intrusion Detection Systems Misuse detection vs. Anomaly detection Host based (HIDS) vs. Network based (NIDS) –HIDS: Active Audit trail monitoring –NIDS: Snooping network traffic for signs of malfeasance Almost all report to a central collection, correlation and alert-generating server Useful as an early-warning system and for trending trouble areas Useful for some types of after-the-fact damage analysis

23 23 Problems in Authentication as evidence Username/Password –Easily stolen when sent “in clear” –Or via “trojan horse” programs, worms, viruses –Often guessable IP address –Spoofable for some kinds of connections –Doesn’t establish that the user initiated the action

24 24 Problems in Authentication as evidence (cont.) Digital Certificates –Large password protected by a small password –File can be taken just like any other –User’s password to activate the certificate may be Guessed Cracked Snooped –More like a “rubberstamp” signature in a locked drawer But owner may have no indication of its theft Rebuttable presumption of identity unlikely to ever be rebutted

25 25 Problems in Authentication as evidence (cont.) Biometrics –Biometrics are static, and easily copied once known –Never-ending escalation of spoofing tricks against the reader, never-ending need to upgrade readers –Remote biometric authentication raises issues Credentials injected into the stream Biometric readers use a variety of cryptographic methods to ensure data integrity and reader legitimacy At that point, biometrics are a fixed password in a public-key authentication system

26 26 Authentication as Evidence Combining unintended authenticators with intentional authenticators increases evidentiary value: Example: DNR + time of day + IP + username and password + files found on user’s system

27 27 Problems in Authentication as evidence (cont.) DNR + IP + time of day + username and password + files found on user’s system –Was it the user? –Or was it a worm? –Or was it an electronic intruder using the person’s computer? Other, circumstantial evidence may defeat such assertions

28 28 Authorization Once we know (reasonably) who it is, we need to decide what they can access, and how. –Servers –Networks –Applications –Files (data) –Actions

29 29 Authorization Systems Access Control Lists (ACLs) –On Firewalls –On Gateways and Routers –On Servers –On Workstations

30 30 Firewalls Help provide an initial layer of defense at boundaries Provide network accounting mechanisms Can be used as a broad access control device Some firewalls can do ACL and pattern- based content and many perform virus filtering

31 31 Firewalls (cont.)

32 32 Firewalls (cont.) All firewalls are not created equal There is no “best” firewall Don’t solve host/server-level problems Often provide a false sense of security Have a history of their own security problems

33 33

34 34 Gateways and Routers Whose traffic goes where… and how? Gateways include –Firewalls –Routers Acting as traffic cops Control direction, speed Can help control IP “spoofing” –Virtual Private Network (VPN) gateways

35 35 VPNs VPN: –Simulate a point-to-point, dedicated telco line as closely as reasonably possible Identify user or remote network (authentication) Limit access (authorization) Log accesses and violations (accounting)

36 36

37 37

38 38 VPNs (cont.) Inherently serve one real purpose: –Make doing a very risky thing as safe as reasonably possible Then why do we use them? –Costs –Also, costs –Oh, and costs, too.

39 39 VPNs (cont.) (Not to mention, costs.) The Big Myths about VPNs: –inherently add security –authenticate end-users –ensure authorized use –always less expensive than dedicated telco connectivity

40 40 VPNs (cont.) Risks (especially in connecting a home user to the enterprise network) are significant –Privacy of the connection and authentication traffic –Theft/compromise of authentication credentials –End user’s system used as live gateway to private network after the user authenticates –End user fooled into authenticating to trojan gateway –Store-and-forward (time-delayed) attacks from compromised end-user system

41 41 The Upshot Defense in depth is becoming the new best practice in most industries –Use firewalls at least at corporate borders –Use IDS internally and at borders –Secure servers and put IT policies in place to maintain their security –Use strong authentication devices for all remote access –Use VPNs with strong authentication and limit remote users’ capabilities Never assume a product is so secure that it is all you need for security – even a firewall IT staff need to get and stay up to date, reviewing new issues almost on a daily basis Manage IT risks as a part of conducting business

42 42 Questions ?

43 43 URLs Us: http://www.neohapsis.com Many security mailing list archives: http://archives.neohapsis.com Security Alert Consensus (SAC): http://www.sans.org/sansnews Mike: mscher@neohapsis.com

Download ppt "1 Authentication, Authorization, and Accounting Mike Scher Director of Labs Neohapsis, Inc."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Similar presentations

Ads by Google