 |
The management of access to IT-based resources can be divided into four areas:
- authentication
- who is trying to access the resource?
- authorization
- is she allowed to access the resource in this way?
- accounting
- ensures she is billed for the access
- auditing
- institution-wide retrospective on resource usage
Authentication is the basis for authorization and accounting,
as both require reliable identification of
the person or entity accessing the resource.
One can consider four methods by which one might authenticate a person:
- Something the person is, such as via biometric authentication
- Something the person has,
such as a crypto token (e.g., smart card or java button)
- Something the person knows,
such as a password
- Something the person can do,
such as the ability to encrypt or decrypt a challenge dataset
The distinction between the latter three methods
is not as obvious as one might think.
A password can be thought of as something one has, rather than knows.
The ability to encrypt a challenge might also be seen
as having a capability.
One might have a crypto token,
which encapsulates the ability to encrypt a challenge,
but which is only enabled by a password the user knows.
Biometrics
Biometrics involve measuring a physical characteristic of
the person to be authenticated.
Avenues explored to date include
fingerprints, retinal patterns, and voice recognition.
All of these schemes require additional hardware
at the workstation where authentication is to be performed,
and at the time of this writing (June 2001)
they all have unacceptably high error rates.
90% is just not good enough for real world work.
There is also a more subtle problem with biometrics.
The link between the biometric reader device and the workstation computer
is vulnerable to eavesdropping and to injection attack.
If an adversary can persuade a person to authenticate, even once,
through a workstation that has been compromised in this way,
that person's biometric pattern can be surreptitiouly recorded.
At any later time the adversary
can re-inject the pattern into the link and masquerade as that person.
Human beings only have ten fingers and two irises.
What can be done the second time one's iris biometric is compromised?
Attempts to add security to this link merely shift the vulnerability
to the point between the actual biometric reader
(such as the fingerprint scanner) and the link security electronics.
It is difficult to imagine how
a biometrics device might reliably be protected from determined tampering
yet still allow a user's finger to be inserted.
This is an especially important consideration when
workstations may not be fully trusted,
such as mall kiosks or ATMs encountered during foreign travel.
Passwords
Today's authentication standard is the password.
The paradigm is easy for a human being to grasp,
and no additional hardware (such as a smart card) is needed.
But the widespread proliferation of userids and passwords
is already taxing a user's ability to memorize,
forcing her to either use the same password for every authentication
(which may not even be possible
if password changing is disallowed or constrainted),
or to write all the passwords down on a piece of paper
or enter them into a PDA.
Each of these alternatives constitutes a serious security vulnerability.
Ironically,
all the authentication techniques other than biometrics
are ultimately secured by the humble password.
Smart cards can be stolen,
so they are typically activated only with the use of a PIN number,
which is itself nothing more than a (particularly weak) password.
Even with strong PKI techniques,
the private key, whether stored on the workstation or in a crypto token,
is typically protected by symmetric encryption with a password,
which the user must give to allow authentication.
Network Authentication - Then and Now
When remote terminals were originally added to legacy mainframe systems,
the terminals were simply keyboards and data displays,
and did not have any local computational capacity.
Authentication was via clear-text password on the wire.
While this supported a version of two-way authentication
(a user could authenticate the server
by deliberately sending the wrong password),
clear text passwords were present both on the wire and
in a password database file on the server.
The next major advance, present in Unix and other systems,
was to store only a one-way hash of the password.
The password given by the user was passed through the hash algorithm,
and would only be accepted if the hash matched the stored value.
It was also necessary to seed the hash process with a unique ID,
so that users with the same clear text password
would generate different hash values.
Clear text passwords were still present on the wire,
but a compromise of the server would no longer yield
an entire database of clear text passwords.
Because the server required the clear text password on the wire,
posession of the hashed value alone was insufficient to authenticate.
But exposure of the hashed value left the system vulnerable
to brute force attack (trying every permutation of glyphs) and
to dictionary attack
(trying every word in a dictionary,
in the hope the user had chosen
a single, correctly spelled word as her password).
Eventually a shadow-password system was inaugurated,
in which the real password file is no longer visible to ordinary users.
Networked computer usage is no longer exclusively over enterprise networks.
Users expect to be able
to perform authorized tasks while using the commodity internet.
In many cases the network simply cannot be trusted.
Students in dorms share a broadcast ethernet,
and eavesdropping on other user sessions is as easy as
running a promiscuous listen program.
Those connecting via cable modem and via wireless (802.11b WiFi)
are currently protected by only very weak encryption systems.
Injection attack,
where packets that only seem to be from their purported sources
can be forged, are also technically possible.
In the worst case,
a network connection can be hijacked
(taken over by an adversary, leaving the original client disconnected)
or a “man in the middle” attack can be mounted.
(Figure adapted from CREN Middleware Conference 2001)
|
|
Network
Injection Attack -+
|
V |
| -+-------------+-- |
|
+-> Eavesdropping
|
|
|
|
|
In this brave new world,
we assume a security perimeter
around the server computer and around the client workstation,
but that the network itself
is insecure and thus vulnerable to various kinds of security attack.
One solution to this problem is to encrypt the communications link.
An eavesdropper sees only the encrypted traffic.
Even a hijacked connection is not useful
when the adversary cannot subvert the link encryption.
Today when customers purchase over the web
they freely send their (confidential) credit card numbers,
but typically the link from client to server is encrypted by
a protocol called SSL (Secure Server Link) and thus
an eavesdropping adversary cannot capture the credit card number.
SSL uses public-key technology, which will be described later.
Security systems such as Kerberos
avoid sending clear text passwords over the link,
by basing authentication on the ability to encrypt a challenge data set.
The server generates a challenge that is
guaranteed to be different from any other challenge ever issued
(it typically includes a date and time, to prevent playback attack).
The server sends this challenge to the client,
which encrypts the challenge with the password given by the user,
returning this encrypted result to the server.
Authentication is granted only if the result,
when decrypted with the password,
regenerates the original challenge dataset.
Alternatively,
the server can independantly encrypt the challenge with the password,
then compare the returned encrypted version with the locally generated one.
While this avoids the vulnerability of sending a password over the link,
an independant copy of the password is still stored at the server.
If the server itself is ever compromised,
an adversary can capture a large number of passwords in one exploit,
making the server itself a very tempting target.
Password hashing techniques like those described above
give no additional protection in this setting,
because it is the residue that would be passed on the wire,
not the clear-text password as before.
If posession of the residue is sufficient to authenticate,
then effectively the residue becomes the password,
and the situation is identical to that of the previous case where
the server stores copies of all the passwords,
in that compromise of the server password file gives an adversary
all the information she needs to impersonate a valid user.
Public Key Techniques and PKI
The root problem with symmetric encryption techniques is that
in granting the ability to decrypt
one must also grant the ability to encrypt,
because the same key is used for both functions.
Asymmetric encryption techniques use two different keys;
one key is used to encrypt, and the other key is used to decrypt.
Thus granting the decryption key
gives others the ability to read existing encrypted messages
but does not give the ability to generate additional such messages.
Conversely, granting the encryption key allows others to encrypt messages
without allowing them to read messages that have already been encrypted.
Applying this to the client-server example,
users can safely store their decryption keys on the server,
because it is the encryption key that
the adversary must steal in order to impersonate.
Thus an attack on the server is just not useful.
The server generates a unique challenge dataset and sends it to the client,
which uses the secret (private) encryption key to encrypt the challenge.
The client then returns the encrypted version to the server,
which uses the non-secret (public) decryption key to decrypt the result,
and only grants authentication if the original challenge is regenerated.
Unfortunately, practical public key systems use
keys that are too large for human beings to reliably remember.
At the time of this writing (July 2001)
512-bit keys were considered weak,
1024-bit keys were the operational standard,
and 2048 bit keys were being considered for high-security work.
(For the purpose of comparison,
a 2048 bit number would be roughly 614 digits when expressed in decimal.)
Because it is just not feasable
to expect a human being to reliably remember a multi-hundred-digit number
(or even be able to reliably enter it in on a keyboard!),
these schemes usually store the private key in symmetrically encrypted form,
either on the workstation's hard disk or in a crypto token,
and require a password or pass phrase to decrypt the private key for use.
Both these alternatives have their advantages and disadvantages.
Storing the private key on the workstation
requires a reliable backup for the workstation's disk storage,
and additional support for propagation when the workstation is being upgraded.
It also ties a worker to a specific workstation,
making it difficult to work from an alternative location,
such as at home or at a collaborative meeting site.
Storing the private key on a crypto token
allows authentication from different work sites,
but the crypto token can be lost, or accidently left at home,
and there is significant expense both in the tokens themselves
and in equipping every workstation with the associated token reader device.
At the time of this writing smart cards could be bought for $10 per person
and a typical USB smart card reader could be bought for $20 per workstation.
These costs would probably preclude universal campus usage of crypto tokens.
Another technique is to use a keyserver.
Typically the workstation makes a request to the keyserver,
which returns a symmetrically encrypted copy of the private key.
Some known transformation is used on the user's password
to derive the symmetric key that allows decryption of the keyserver response.
However,
if an adversary can obtain an encrypted private key from the keyserver,
she can conduct a brute force attack or a dictionary attack
against it at her leisure.
For this reason,
many keyserver systems require a residue of the user's password
to be supplied along with every keyserver request.
It is vitally important that this residue be distinct from
the password residue used to decrypt the keyserver response,
as the keyserver must store the residue used to validate the request,
but should not store the residue used to unlock the private key.
However,
an adversary can still eavesdrop on
the keyserver response from a valid authentication,
so unless the user, the keyserver, and all network links between them
are trusted,
the keyserver scheme is still vulnerable to brute force and dictionary attack.
For more information visit
http://www.oit.umd.edu/middleware/pki.html
Compromise of Workstation vs Compromise of Link
Another important point is that
all these techniques protect only against compromise of the link;
none of them can protect against compromise of the workstation itself.
If the workstation itself is compromised,
a keyboard-watcher can be installed,
and this can record any passwords as the user is typing them.
A compromised workstation can also perform substitution attacks,
telling the user she is authenticating for one purpose and then
using the authentication for a different, more sinister purpose.
The relative vulnerability of personal computer class workstations
(e.g., PC and Macintosh, as opposed to Unix/Linux workstations)
to this kind of compromise,
together with the abundance of attack software for such workstations,
in large part explains the initial resistance of
Project Athena (of which Kerberos is a part)
to incorporating these more vulnerable non-Unix workstations.
It would be possible to protect against the compromise of a workstation,
by equipping a crypto token with a display unit and keyboard.
The token would display the purpose for which authentication is desired
(to protect against substitution attack)
and the pass phrase would be typed directly into the crypto token,
so a keyboard watcher on the compromised workstation could not see it.
The challenge passed to the token and its response
would be encrypted with public key techniques
so the workstation could not profitably alter either message.
Such a token would be considerably more expensive than a typical smart card,
and if made too smart
could itself be vulnerable to virus attack.
The device would have to be just smart enough, and no smarter.
It is certainly not clear, however,
that authenticating a user on a compromised workstation is a good idea,
in the larger scheme of things.
The workstation could subtly alter the work process in progress,
or siphon off sensitive data to a lurking adversary.
Compromise of the workstation is a threat that must be seriously considered.
Application Servers
Under the assumption that
significant application usage will be by casual users
(those who do not use the application often enough to justify training)
and will be from personally-owned workstations
(and as such will have no software other than the standard web browsers),
a web-based application server approach will be useful.
There are a number of different ways to authenticate in this environment.
Proxy Server
In this method the workstation only talks to the authentication server,
which acts as a proxy for the application server.
After authentication,
all session data, both incoming and outgoing,
are passed through the authentication server.
Proxy Server method
|
|
|
|
|
------+------
|
|
|
|
Firewall |
|
---- |
|
|
A firewall must also be used,
to prevent the adversary from bypassing the authentication server
by attempting to contact the application server directly.
This method is somewhat more complicated than it first seems,
because a web session consists of many separate connections,
typically a different connection is made for each page element.
The server must keep track of authenticated users,
and allow their traffic (and only their traffic) to pass.
It is not clear by what method a particular user can be disambiguated.
While for single-user workstations the IP address may suffice,
there are many ways more than one user can share a single IP address.
Many SOHO (Small Office/Home Office) networks
share a single IP address among many users via the technique of
IP Masquerading, also called Network Address Translation (NAT).
Even a mainframe running Lynx or a multi-user Citrix configuration
may confuse an attempt to disambiguate “users” via IP address.
Single Redirect
Another method is
to make the host name part of every URL used for application access
(e.g., registration.umd.edu, bursar.umd.edu, etc)
a Domain Name System alias (DNS CNAME) for the authentication server.
When the web browser on the workstation is sent to one of these URLs,
it contacts the authentication server (1),
which solicits the appropriate passwords or other authentication data.
If and only if authentication succeeds,
the authentication server returns a redirect (2),
perhaps to a numerically specified (i.e., 128.8.125.13) URL,
sending the browser to the real applications server(3).
Single Redirect
|
|
-----(3)------------------------>
|
|
| |
-----(1)------------------------>
<------------------------(2)-----
|
|
|
The advantage of this method is that
no modification is needed at any of the applications web servers.
However, this method is “security by obscurity” because
any adversary can observe the actual application server IP address
and then bypass the authentication server entirely
by sending her browser directly to the real server.
For this reason this method is not generally recommended.
Double Redirect with Cookie
When this method is used the access URL resolves to the application server,
so it is initially contacted (1).
However,
the application servers are modified
to require the presence of a cookie,
a small file that web servers can deposit into the client's web browser.
If the required cookie is not present,
the application server returns a response (2)
redirecing the browser to the authentication server (3).
After satisfying whatever authentication is required,
the authentication server returns to the workstation
both a valid cookie and a redirection back to the application server (4).
When the browser accesses the application server a second time (5),
the required cookie is present, so the application server allows access.
Double Redirect with Cookie
|
-----(1)------------------------>
<------------------------(2)-----
-----(5)------------------------> |
|
| |
-----(3)------------------------>
<------------------------(4)----- |
|
|
This approach is being used by
Shibboleth and other authentication servers.
Of course,
precautions must be taken to prevent the cookie from being forged.
Either a symmetric key or an asymmetric key technique
can be used for this purpose.
Because a cookie is required,
and only the authentication server can create one,
an adversary cannot simply bypass the authentication server.
However,
this method does require modifications to the application web servers,
to require the cookie
and to perform the appropriate redirection if it is not present.
Another unfortunate disadvantage is that some security-conscious users
explicitly disable cookies and would thus be rejected by such a system.
Analysis
For high-security authentication
a physical crypto token provides the second factor
(the first being a password)
for a two-factor authentication system.
In this case
an asymmetric key system with the private key stored in the crypto token
provides an adequate level of security,
as the password is never sent in clear form over the wire,
and the server contains only public keys, never private ones.
This comes at the price of
requiring the purchase of crypto tokens and token readers.
For low-security authentication the picture is less clear.
Conventional challenge-response systems like Kerberos
have a security vulnerability in that
the authentication server contains a database of clear text passwords,
so an exploit of that server yields a very tempting payoff.
But there will be at most a small number of authentication servers
(only enough for network reliability)
and standard techniques can be used to harden them against attack.
Public Key systems do not store any private keys on the server,
but unless a physical crypto token is present,
the private keys must either be stored on the workstation's hard disk
or be distributed via a keyserver.
The vulnerability in both cases is that
an adversary may secretly obtain the encrypted private key
(by reading the workstation's backup tapes or
eavesdropping on a keyserver response during a valid authentication)
and then conduct a brute force or dictionary attack at her leisure,
over a period of weeks or months.
Because the workstation is inexpensive hardware and
not under the direct physical control of the security authority,
hardening it against exposure of the encrypted private key
is much more difficult.
|
