Information systems slide chapter 2 security

Identity Product Technology Secure Password Protocol S/Key  Token Password Authentication Schemes  Point-to-Point Protocol PPP... PPP provides for an optional authentication phase bef

CIS 534 Advanced Network Security Chapter # 2

Prof Mort Anvari

Strayer University

Abraham Torres

Secure Technology Classes

A wide range of security technologies exists to provide solutions for security network access and data transport mechanisms within the corporate network infrastructure.

Identity technologies

Security in TCP/IP structure layers

Virtual Private dial-up security technologies (VPM) Public Key Infrastructure and distribution models

Identity Technologies

Authentication is an extremely critical element because everything is based on who you are In many corporate networks, you would not grant access to specific parts

of the network before established who is trying to gain

access to restricted resources

How foolproof the authentication method is depends

on the technology used

Identity Product Technology

 Secure Password Protocol (S/Key)

 Token Password Authentication Schemes

 Point-to-Point Protocol (PPP).

 The TACACS+ Protocol.

 The RADIUS Protocol.

 The Kerberos Protocol

Secure Key Password Protocol

The S/Key One-Time Password System, released by Bellcore and define

in RFC 1760, is a one time password generation scheme based on MD4 and MD5 The S/key protocol is designed to counter a replay attack

when a user is attempting to log in to a system

Involves three distinct steps

Preparation step: The client enters a secret pass phrase This pass phrase is concatenated with the seed that was transmitted from the server in cleartext

Generation step: Applies the secure hash function multiple times, producing a 64-bit final output

Output Function: Takes the 64-bit one-time password and displays it

in readable form.

Token Password Authentication

Token authentication systems generally require the use of a special smart card or token card Although some implementations are dome using software to alleviate the problem of loosing the smart card or token this types of authentication mechanisms are based on one or

two alternatives schemes:

 Challenge-Response

 Time-Synchronous Authentication

Step1: The user dials into an authentication server, which then issues a

prompt for a user id.

Step2: The user provides the ID to the server, which then issues a challenge

a random number that appears on the user’s screen

Step3: The user enters that challenge number into the token or smart card,

a credit-card-like device, which then encrypts the challenge with the user’s encryption key and displays a response.

Step4: The user types this response and sends it to the Authentication

server While the user is obtaining a response from the token, the

Authentication server calculates what the appropriate response should be based on its database of user keys.

Step5: When the server receives the user’s response, it compares that

response with the one it has calculated

Step for Authentication

8HAD589

Dial into server

Prompt for access code

User enters PIN

Token card displays digits

8HAD589

Compare

Time-Synchronous Token Authentication

Point-to-Point Protocol

The Point-to-Point Protocol (PPP) is most often used to establish a dial connection over serial lines or ISDN PPP authentication

mechanism include the Password Authentication Protocol (PAP), The

Challenge Handshake Protocol (CHAP), and the Extensible

Authentication Protocol (EAP) In all these cases, the peer device is being authenticated rather than the user of the device PPP provides for an optional authentication phase before proceeding to the

network-layer protocol phase

Point-to-Point Frame Format

FLAG Address Control Protocol Data FCS Flag

PPP Authentication Summary

PAP

PAP Easy to implement

CHAP Password encrypted

EAP

EAP Flexible, more robust

authentication support

Does not have strong authentication;

password is sent in the clear between client and server; no playback protection

Password must be between client and stored in cleartext on server; both client And server playback protection

New; may not yet be widely deployed

TACACS + Protocol

The TACACS+ protocol is the latest generation of TACACS TACACS is a simple UDP-based access control protocol originally developed by BBN for the MILNET Cisco has enhanced (extended) TACACS several times, and Cisco’s implementation, based on the original TACACS, is referred to as

XTACACS

Fundamental Differences

•TACACS: Combined authentication and authorization process.

•XTACACS: Separated authentication, authorization, and accounting.

•TACAS+: XTACAS with extended attributed control and accounting

RADIUS Protocol

The Remote Address Dial-In User Service protocol was developed by Livingston Enterprises, Inc as an access server authentication and

accounting protocol In June 19966, the RADIUS protocol

specifications was submitted to the IETF The RADIUS specification (RFC2058) and RADIUS accounting standard (RFC 2059) are now

proposed standard protocols

RADIUS Authentication: Server can support a variety of methods to authenticated a user, can support PPP, PAP,CHAP, UNIX and other authentication mechanisms

RADIUS Authorization: The authentication and authorization

functionalities are coupled together, typical parameters include

service type (shell or frame), protocol type, IP address to assign the user (static or dynamic), access list to apply, or the static route in the NAS

RADIUS Accounting: Allows data to be sent at the start and end of sessions, indicating the amount of resources (such as time, packets, bytes, and so on) used during the session.

RADIUS Transactions: Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which

is never sent over the network In addition, any user passwords are sent encrypted between the client and RADIUS server to eliminate the possibility that someone snooping on an unsecured network

No encryption

Encryption of Applicable TACACS+/RADIUS parameters

Modem

RADIUS Client RADIUS Server RADIUS Protocol

The Kerberos Protocol

Kerberos is a secret-key network authentication protocol, develop a

Massachusetts Institute of Technology (MIT), that uses the Data

Encryption Standard (DES) Cryptographic algorithm for encryption and

authentication The Kerberos Version 5 protocol is an Internet standard

specified by RFC 1510

When the client wants to create an association with a particular application server, the client uses the authentication request and response to first obtain a ticket and a session key from the KDC.

Client Shared key between KDC and client

The FORTEZZA

Multilevel Information Systems Security Initiative (MISSI) is a network Security initiative, under the leadership of the National Security Agency (NSA) MISSI provides a framework for the development and evolution of interoperable security products to provide flexible, modular security for the networked information systems across the Defense Information Infrastructure (DII) and the National Information Infrastructure (MII) Netscape has a build-in browser that links SSl

MISSI Building Blocks

•FORTEZZA and FORTEZZA Plus.

•Firewalls

•Guards.

•Inline encryptors.

•Trusted computing

Mayor Types of FORTEZA

 Electronic Messaging: Can secure e-mail, electronic data

interchange (EDI), electronic commerce, and facsimile to provide message encryption, authentication, and data integrity.

 World Wide Web: Can protect secure Web transactions using strong identification and authentication and secure-sockets-layer (SSL) interactions.

 File and Media Encryptors: These encryptors are applications written to enable FORTEZZA to secure user files on strong media.

 Identification and Authentication: After the FORTEZZA card has been installed in the workstation and the PIN has been correctly entered, the identity of the user is known and trusted

User Datagram Protocol OSPF

Security in TCP/IP Layers

Internet Protocol

ARP Ethernet Token Bus Token Ring FDDI

TCP/IP Application Layer

Provides access to network for end-user User’s capabilities are

determined by what items are available on this layer Logic needed to support various applications each type of application (file transfer,

remote access) requires different software on this layer.

FTP: Protocol for copying files between hosts

HTTP: Primary protocol used to implement the WWW

Telnet: Remote terminal protocol enabling any terminal to log in to any host

NNTP: Protocol used to transmit and received network news.

SMTP: Protocol used for managing network resources, e-mail

SHTTP: Protocol designed for the used of secure Web Transactions

Transport Layer

Concerned with reliable transfer of information between applications.

Independent of the nature of the application Includes aspects like flow control and error checking.

Isolates messages from lower and upper layers

Breaks down message size.

Monitors quality of communications channel.

Selects most efficient communication service necessary for a given Transmission.

Also called host-to-host layer.

Uses TCP protocols for transmission.

Secure Socket Layer Protocol

The Secure Socket Layer (SSL) is an open protocol designed by

Netscape; it specifies a mechanism for providing data security layered between Application protocols (such as HTTP, Telnet, NNTP, or FTP) and TCP/IP It provides data encryption, server authentication,

message integrity, and optional client authentication for a TCP/IP

The Secure Shell Protocol

The Secure Shell (SSH) is a protocol for secure remote login and

other secure network services over an insecure network It provides

support for secure remote login, secure file transfer, and the secure

forwarding of TCP/IP and X Windows system traffic

SSH three major components

1 The Transport layer protocol , which provides server authentication,

confidentiality, and integrity with perfect forward secrecy

Optionally, it may also provide compression

2 The user authentication protocol , which authenticates the client to

the server.

3 The connection protocol, which multiplexes the encrypted tunnel

Is a transport layer-based secured networking proxy protocol It is

designed to provide a framework for client/server applications in both

the TCP and UDP domains to conveniently and securely use the services of a network Firewall SOCKS was originally developed by

David and Michelle Koblas; the code was made freely available on the

Internet

The SOCKS Protocol

SOCKS version 4; provides for unsecured firewall traversal for based client/server applications including Telnet, FTP, and the

TCP-popular information discovery protocols such as HTTP, WAIS, and Gopher

SOCKS Version 5; defined in RFC 1928, extends the SOCKS version 4 model to include UDP, extends the framework to include provisions for generalized strong authentication schemes, and extends the addressing scheme to encompass domain-name and IPv6 addresses

Network Layer Security

Network Layer security pertains to security services at the IP layer

of the TCP/IP protocol stack Many years of work have produce a set

of standards from the IETF that, collectively, define how to secure

services at the IP Network layer

• have considered some application specific security mechanisms

- eg S/MIME, PGP, Kerberos, SSL/HTTPS

• however there are security concerns that cut across protocol

layers

• would like security implemented by the network for all

IP Security

• is below transport layer, hence transparent to applications

• can be transparent to end users

• can provide security for individual users if desired

IP Security Architecture

Specification is quite complex.

Defined in numerous Request For Common Architectures (RFC) RFC 2401: The IP Security Architecture.

RFC 2402: The IP Authentication Header (AH).

RFC 2406: The IP Encapsulation Security Payload (ESP.

RFC 2408: The Internet Security and Key Management Protocol (ISAKMP).

Many others, grouped by category

IPSec Uses

IPSec Services

 Access control

 Connectionless integrity

 Data origin authentication

 Rejection of replayed packets

 a form of partial sequence integrity

 Confidentiality (encryption)

 Limited traffic flow confidentiality

Virtual Private Dial-up Security Technologies

Enable large enterprises to extend their private networks across dial-up lines Instead of incurring large costs to ensure security by

dialing into a campus site from any where in the world or

lessening security by dialing in locally and using the Internet as

the transport to get to the main enterprise campus.

The Layer 2 Forwarding (L2F) Protocol

Created by Cisco Systems It permits the tunneling of the link that is, High-Level Data Link Control (HDLC), a sync HDLC, or Serial Line Internet Protocol (SLIP) frames –of higher-level protocols

layer-Dial-Up Protocols Layers

Dial-Up Protocols

The Point-to-Point Tunneling Protocol

Was initiated by Microsoft It is a client/server architecture that allows the Point-to-Point Protocols (PPP) to be tunneled through an IP network and decouples functions that exist in current NASs

The Layer 2 Tunneling Protocol (L2TP)

Cisco and Microsoft, along with other vendors, have collaborated on

a single standard: a track protocol within the IETF, which is now called

Layer 2 Tunneling Protocol (L2TP)

Public Key Infrastructure

The purpose of a Public Key Infrastructure (PKI) is to provide trusted and efficient key and certificate management to support these protocols A PKI is defined by the Internet X.509 Public Key

Infrastructure PKIX Roadmap “work in progress” A PKI consists of

the following five types of components:

The set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke certificates

based on public-key cryptography

PKI Components

 Certification Authorities (CAs) that issue and revoke certificates.

 Organizational Registration Authorities (ORAs) that vouch for the binding between public keys, certificate holder identities, and

other attributes.

 Certificate holders that are issued certificates and that can sign digital documents.

 Clients that validated digital signatures and their certification

paths from a known public key of a trusted CA.

 Repositories that store and make available certificates and

Certificate Revocation Lists (CRLs)

MIST Special Publication 800-15, Minimum Interoperability Specification for PKI

A Sample Scenario Using a PKI

2 The recipient validates that no certificate in the path has been revoked, and that all certificates were within their validity periods

at the time the data was signed.

3 The recipient verifies that the data does not claim to have any attributes for which the certificate indicates that the signer is not authorized.

4 The recipient verifies that the data has not been altered since it was signed by using the public key in the certificate

X.509 Version 3 certificate and Version 2 CRL.

Version Number

Serial Number

Issuer

Subject

Subject’s Public Key (Algorithm, Key)

Validity Period (not before, not after)