1 / 71

Komunikacijski protokoli in omrežna varnost

AAA. Komunikacijski protokoli in omrežna varnost. A uthentication : who is actually the person or a computer, with whom are we talking A uthorization : if the person or a computer, with whom are we talking with, have privileges to the source / use of service / ...

yosef
Télécharger la présentation

Komunikacijski protokoli in omrežna varnost

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAA Komunikacijski protokoli in omrežna varnost

  2. Authentication: who is actually the person or a computer, with whom are we talking Authorization: if the person or a computer, with whom are we talking with, have privileges to the source / use of service / ... Accoounting: who has used source/service/... AAA

  3. Authentication: what is authentication, how can it be implemented into protocol Authorization: how can we use it Recording: recording system Protocol for AAA literature: C. Kaufman, R. Perlman, M. Speciner. Network Security – Private Communication in a Public World. Prentice Hall. Vsebina

  4. trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trusttrust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust,trust trust, trust, , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust , trust... Avtentikacija

  5. Two sites (Ana in Borut) are talking and they must believe, that they are real talking to each other • establishing identities at the beginning • maintenance identity through the conversation • How can we believe, that in fact the other site is the real site • the site can be a person or service / program • Ana has to know: • Something about Borut, to get some knowledge about Borut • At which detected Borut, cannot have anyone else Avtentikacija

  6. Borut tells Ani his password • possible attacks: • tapping (stealing in place of transfer) • breaking into the sistem (stealing saved passwords) • Guessing password • Defences: • using safe cryptographic links • securing sistem / passwords • Limiting the attempts of guessing passwords • additional defence • Ana send Borut challenge, which Borut has to know, how to solve it Avtentikacija z gesli

  7. Passwords are stored in all places, where we need them • vulnerability, the problem of changing • passwords are stored in one place and used by all users • protection of transferring a copied to user • we have a special node that provides service for checking password • Special protocol Hranjenje gesel

  8. Saved passwords we double protect it with cryptographic protection • we don’t stored passwords in their original form, but we use safeguarded unidirectional hash functionf • authentication: • Borut calculate f(password) -> g • Borut send g • Ana kept in database g and don’t need password, just check presence g in database Hranjenje gesel

  9. By guessing: we limit the number of attempts • automaton occupy card; • Password is valid to the limit of attempts • Limitation of the password: • The S/KEY One-Time Password System, RFC1760 • A One-Time Password System, RFC2289 • required: find it on the internet and read about it – literature! • challenge: write your own program for S/Key or invent your OTP. Napadi na gesla

  10. Stealing passwords • stolen blind text – change the password • Stolen mapping • On the internet there are base/service, which sistematicly calculate mapping passwords • possible defense– salten passwords • challenge: how to performe salten password? Napadi na gesla

  11. (IP) address presented a passwords or part of it • We trust only few computers • Loging is possible only on those computers • We trust those computers, that they did appropriate authentication (file hosts.equiv, ) • we allow authentication only those computers • required: Consider how to address the authentication at ssh? Naslov kot geslo

  12. key distribution centre • Broker forms a key (password) for every new connection • Short-lived keys • certification authority • Broker provides authorized passwords • Long-lived certificates, must have option to cancel it • Hierarchy of intermediaries Zaupanja vredni posredniki

  13. Using passwords Authentication devices Using biometric characteristics Other options require additional hardware (which we trust) Avtentikacija ljudi

  14. Password shouldn't be easy: length, number of characters, which sings , .. • admin/admin, 1234, unique master citizen number • Password shouldn't be to complicated • NaWUwra66nu5UHAd  • challenge: Find a sistem for creating save passwords. • We change passwords systematic • What if we forget a password? Gesla

  15. cards • Only holders of informations (magnetic recording, optical recording, ...) • Smart cards • Contains a computer, that protects information and to access to a computer  we need password, ... • Use of challenge • Cryptographic computers • Form a time-depended password Avtentikacijski pripomočki

  16. Replace a password Cannot be exchange routine, fingerprint, identification of face, iris, voice, . Biometrične značilnosti

  17. directly • Loging to the console of computer • Remote access: telnet (TELNET Protocol, RFC 139), ssh (Does exsist RFC for ssh?) • challenge: find other RFC documents that is about telnet. • ad hoc form • Using protocols postopek avtentikacije

  18. PPP in PAP: Password authentication protocol CHAP: Challenge-handshake authentication protocol (MS-CHAP) EAP: Extensible Authentication Protocol Protokoli za avtentikacijo

  19. The Point-to-Point Protocol (PPP), RFC 1661 • challenge: find and read RFC. • s replacing data-link layer • at the beginning of sessions is required a authentication PPP in PAP

  20. +----------+-------------+---------+ | Protocol | Information | Padding | | 8/16 bits| * | * | +----------+-------------+---------+ PPP • protocol: • 0001 Padding Protocol • 0003 to 001f reserved (transparency inefficient) • 007d reserved (Control Escape) • 00cf reserved (PPP NLPID) • 00ff reserved (compression inefficient) • 8001 to 801f unused • 807d unused • 80cf unused • 80ff unused • c021 Link Control Protocol • c023 Password Authentication Protocol • c025 Link Quality Report • c223 Challenge Handshake Authentication Protocol

  21. Transport passwords in clean text Last option, if any others failed (and if we are still willing to do) PAP

  22. PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994 • required: find this protocol on the internet and read it – literature! • Prepared for using PPP (poin to point protocol) • Designed  based on a challenge,  that Ana sent message Borutu • Transmission protocol in principle is not defined  (see PPP) CHAP

  23. Three steps: • Ana send a challenge • Borut challenge combine with a password and send it back cryptinated with one-way hash function • Ana verify the correctness of answer • Steps in the  PPP protocol can be many time repeated  • Challenge is send in readable form  • password must be kept on both sides • because the challenge is changing, it is difficult to attack by repeating CHAP

  24. ppp protocol has its own control protocol LCP • it can set various properties and also type of hash function • challenge: where and how can we set it? Katera razpršilna funkcija

  25. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+ CHAP – oblika paketa • Code – code of message: 1 Challenge, 2 Response, 3 Success, 4 Failure • Identifier – connection between steps protocola

  26. Microsoft PPP CHAP Extensions, Version 2, RFC 2759 • challenge: find it on the internet and read it; how it is conducted changing password and what we have to be careful? • There are two versions • required: In which is the version two different from the version one? • Based on the CHAP protocol with two fundamental appendices: • mutual authentication • The ability to change paswords MS-CHAP

  27. Extensible Authentication Protocol (EAP), RFC 3748 –the basic protocol and corrections RFC5247 • challenge: find and read RFC • Framework for protocols and not real protocol because it defines only the format of the messages • usually directly over the data-link layer (ppp, IEEE 802 – ethernet) and also UDP, TCP • challenge: In RFC find, which protocol is using UDP • possibility forwarding – Authentication Server EAP

  28. A way authentication is between the client and the server (authentication user) • Steps for protocol: • authentication user sends request for data; for example. identification, required for authentication including authentication mode, ... • client respond or refuses the way of authentication • steps 1. and 2. are repeated until the server does not identify the client EAP – osnovno delovanje

  29. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Type-Data ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- EAP – oblika paketa • identical CHAP • request/response package • type – what requred authentication user and what client responds: • 1 Identity • 2 Notification • 3 Nak (Response only) • 4 MD5-Challenge • 5 One Time Password (OTP) • 6 Generic Token Card (GTC) • 254 Expanded Types • 255 Experimental use

  30. when the user is authenticated (identified), we can check the rights that the user has • on Unix systems usually becomes a member of a group or multiple groups, which have certain rights (group) • on MS Windows sistems similar • challenge: there is RFC 2904, AAA Authorization Framework. What's it about and what defines requirements or something else? Avtorizacija

  31. access matrixspecifies the rights of the individual user groups • capability list • access control list • stored locally in the file / files • similar problems as in the storage of passwords • stored on the server • challenge: How is the safety of downloaded messages and encrypting them? Avtorizacija – dostopovna matrika

  32. system to record events and content where and when they occurred • Common form recording on operation sistem is syslog (POSIX standard) • Standardized also at IETF as RFC 5424, The Syslog Protocol. • challenge: compare RFC with “man –k syslog” site? • challenge: find others RFC about syslogu in IETF site, where working group for syslog published documents. Beleženje

  33. Logging is kept in /var/log ...: • Nov 13 17:00:17svarun0sshd[92530]: error: PAM: authentication error for root from ip-62-129-164-36.evc.net • possible level of messages: Emergency, Alert, Critical, Error, Warning, Notice, Info or Debug • challenge: See the file in /var/log/... Beleženje in syslog

  34. on FreeBSD syslogd • configuration in /etc/syslog.conf • challenge: change the configuration so that all messages will be writing down in / var / log / super-log, how to send a note to another computer?, and can we store the same note to multiple locations? Programska oprema security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog cron.* /var/log/cron

  35. Interior architecture distributes: • Form of message and their content (RFC 5424) • Way to transmisson messages (RFC 5425) • required: find RFC 5425 and look at which ingredients it speaks– literature! • challenge: find others in RFC, that say about syslog. syslog protokol +---------------------+ +---------------------+ | content | | content | |---------------------| |---------------------| | syslog application | | syslog application | (originator, | | | | collector, relay) |---------------------| |---------------------| | syslog transport | | syslog transport | (transport sender, | | | | (transport receiver) +---------------------+ +---------------------+ ^ ^ | | --------------------------

  36. SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG] HEADER = PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID PRI = "<" PRIVAL ">" PRIVAL = 1*3DIGIT ; range 0 .. 191 VERSION = NONZERO-DIGIT 0*2DIGIT HOSTNAME = NILVALUE / 1*255PRINTUSASCII APP-NAME = NILVALUE / 1*48PRINTUSASCII PROCID = NILVALUE / 1*128PRINTUSASCII MSGID = NILVALUE / 1*32PRINTUSASCII TIMESTAMP = NILVALUE / FULL-DATE "T" FULL-TIME FULL-DATE = DATE-FULLYEAR "-" DATE-MONTH "-" DATE-MDAY DATE-FULLYEAR = 4DIGIT DATE-MONTH = 2DIGIT ; 01-12 DATE-MDAY = 2DIGIT ; 01-28, 01-29, 01-30, 01-31 based on ; month/year FULL-TIME = PARTIAL-TIME TIME-OFFSET PARTIAL-TIME = TIME-HOUR ":" TIME-MINUTE ":" TIME-SECOND [TIME-SECFRAC] TIME-HOUR = 2DIGIT ; 00-23 TIME-MINUTE = 2DIGIT ; 00-59 TIME-SECOND = 2DIGIT ; 00-59 TIME-SECFRAC = "." 1*6DIGIT TIME-OFFSET = "Z" / TIME-NUMOFFSET TIME-NUMOFFSET = ("+" / "-") TIME-HOUR ":" TIME-MINUTE syslog protokol – oblika sporočil STRUCTURED-DATA = NILVALUE / 1*SD-ELEMENT SD-ELEMENT = "[" SD-ID *(SP SD-PARAM) "]" SD-PARAM = PARAM-NAME "=" %d34 PARAM-VALUE %d34 SD-ID = SD-NAME PARAM-NAME = SD-NAME PARAM-VALUE = UTF-8-STRING ; characters '"', '\' and ; ']' MUST be escaped. SD-NAME = 1*32PRINTUSASCII ; except '=', SP, ']', %d34 (") MSG = MSG-ANY / MSG-UTF8 MSG-ANY = *OCTET ; not starting with BOM MSG-UTF8 = BOM UTF-8-STRING BOM = %xEF.BB.BF UTF-8-STRING = *OCTET ; UTF-8 string as specified ; in RFC 3629 OCTET = %d00-255 SP = %d32 PRINTUSASCII = %d33-126 NONZERO-DIGIT = %d49-57 DIGIT = %d48 / NONZERO-DIGIT NILVALUE = "-"

  37. defined in RFC 2865, Remote Authentication Dial In User Service (RADIUS) in RFC 2866, RADIUS Accounting • required: find it on the internet and read about it – literature! • challenge: find other RFC documents, that are dealing with tftp and check, what is say in them. • basic functionality: • authentication, authorization, recording • For authentication it can use other protocols • Look also RFC 4962, Guidance for Authentication, Authorization, and Accounting (AAA) Key Management Protokol RADIUS

  38. three parties involved: • user of a service • Service provider – service provider: NAS, Network access server, which is also RADIUS client • RADIUS server • RADIUS server it can also be only a interface in the access to the second RADISU server RADIUS – osnovna arhitektura NAS RADIUS user

  39. usually directly to a data-link (!) layer • ppp • ethernet • sometimes higher layers such as https • safety! Komunikacija uporabnik – NAS NAS RADIUS user

  40. RADIUS protocol • NAS send: Access Request • RADIUS response: Access Reject, Access Challenge, Access Accept • If no response in period time, the demand is re-send • RADIUS can send demand forward – proxy Komunikacija NAS – RADIUS (AA.) NAS user RADIUS

  41. message Access Request • Diffrent protocols – PAP, CHAP, MS-CHAP, EAP • challenge: look, how it is supported MS-CHAP; RFC 2548, Microsoft Vendor-specific RADIUS Attributes. • challenge: how is the support for EAP? RADIUS – zahteva za dostop

  42. message Access Reject • various reasons: • incorrect password / username, ... • inadequate rights • further clarification may be in the message RADIUS – odklonitev

  43. message Access Challenge • additional password or message in different cases: • another password, • PIN code • established tunnel between the user and authentication user, ... • Something else ... RADIUS – izziv

  44. message Access Accept • RADIUS menu, that access is confirmed / authorized • the password / username as authorization • message can bring additional information, that NAS need set up services (IP address, how to connect L2TP tunel, ...); depending on the service • NAS may obtain additional information from other services– files, LDAP, ... RADIUS – potrjen

  45. proxy • distribution users on areas (sfere) (realm) • area is defined by any set of characters, which is usually similar to the domain name • peter.zmeda@butale.isp • andrej.brodnik@fri.uni-lj.si • Each area has its own RADIUS server RADIUS – medstrežnik in področja

  46. roaming • the service provider via the RADIUS server hosting allows users from other domains in the same field • user from another area may be granted the right to use the services (Authorisation) • Establishing collaboration among areas • authentication in another area RADIUS – medstrežnik in gostovanja

  47. proxy • Connections beetwen servers can be safe (VPN) • Middle server received request can transforme and send on the right server (almost, loohk RFC 2865): • Middle server encrypted message and sends it to the parent server • Parent server returns encrypted respons • challenge: what can and how can change middle server? RADIUS – medstrežnik in preposredovanje

  48. RADIUS protocol • NAS sends: Accounting Request • RADIUS responsei: Accounting Response • If no answer in period time, the request is send again • RADIUS can send request forward – proxy Komunikacija NAS – RADIUS (..A) NAS user RADIUS

  49. We can record three types of events: • The beginning of using services • further use or corrected data • End of use • difference is in the content of the package, while for all one pair of commands RADIUS – beleženje

  50. defined commands(example. RPC, RMI): • Access Request • Access Reject, Access Challenge, Access Accept • Accounting Request • Accounting Response • each of the commands may have different additional features / parameters (attributes) Protokol RADIUS

More Related