More about identity and authentication

Tuomas AuraT-110.5241 Network security

Aalto University, Nov-Dec 2014

This lecture aims to show that authentication is a much more diverse field than it first seems

2

What is hard about authentication in a network?Protocol design?Knowing who you want to talk toEstablishing initial knowledge and trust

For authenticated key exchange, we usually need1. Identifiers2. Prior knowledge and trust in something

Examples:SSL: DNS name and CAKerberos: username, password and authentication centerCellular networks: IMSI and shared key on SIM

Identifiers

3

4

Endpoint namesAuthentication and integrity depend on names (identifiers)Each protocol layer has its own way of naming endpoints:

Ethernet (MAC) addresses in the link layer(e.g. 00-B0-D0-05-04-7E)NAI for network usersIP address in the network layer (e.g. 157.58.56.101)TCP port number + IP addressDNS or NetBIOS name in the higher layers (e.g. smtp.aalto.fi)URI in web pages and services(e.g. http://www.example.org/myservice)Email address for email users

5

Using identifiersHow are names and other identifiers allocated?

Authority, long-enough random numbers, ...

What is the scope of the identifiers and are they unique within the scope?How does one find the owner of a name?

Data delivery, routingResolving name in one protocol layer to the name space of the layer below

How to convince others that this is your name? Authentication, authorization, name ownership

Secure naming is a difficult problem and often leads to vulnerabilities

Prior knowledge and trust

6

7

Typical starting points for authentication

Prior knowledge of cryptographic keys:Known public keysShared master key, e.g. 128-bit shared keyShared weak secret, e.g. password (much harder to use)

Trusted third parties:Certification authorityOnline trusted third party, e.g. RADIUS or Kerberos server

8

What else could be trusted?Secure hardware

Secure cryptoprocessor, e.g. smart cardTrusted execution environment and attestation

Secure channelsSecure offline channel – authentic and/or secret channelMultiple independent channelsLocation-limited channels – attacker not thereHuman voice and video – hard to spoof

Attempts at avoiding trust and prior knowledge completely

Opportunistic security Self-certifying identifiers

Secure hardware

9

10

Secure cryptoprocessorSecure hardware can store cryptographic keys keys cannot be leaked by softwareExamples:

SIM cardFinnish identity card (eID)DESFire smart card, DESFire SAMIBM 4758 cryptographic coprocessorTrusted platform module (TPM)Trusted execution environment

11

Trusted execution environmentIsolated computing environment, typically built into the main CPU

Protects any computation from software attacks

Intel TXT, ARM TrustZone, Global Platform Example uses:

Mobile ticketingStoring cryptographic keys or login credentialsDRM

Remote attestation: can prove to a remote server that it is talking to an unmodified application

Possible to prove configuration even anonymously

Secure channels

12

13

Two-channel authenticationAuthentication over two independent channels attacker needs to compromise both Applications:

Text message to confirm online bank transactionTwo-factor authentication by Google, Microsoft, Facebook etc.

Two insecure channels is better than one – or are they?

Consider malware on a mobile phone

14

Secure offline channelThe channel may be authentic, secret, or bothTraditional offline channels:

User or system administrator configuring secret keysArmed courier, diplomatic mail etc.

Offline channels in device pairing: Touching, magic wandUser-verified key exchangeSound (hard to spoof without detection)User-transferred short secret or authentication codeSynchronous user inputSecret shared data from context sensing

15

Location-limited channelSome channels are relatively secure if the attacker is not in the room at the time of the key exchangeExamples of location-limited channels:

NFC, short-distance and directional radio, Bluetooth, camera, infrared, visible light, audio

Caveats:Audio bugs and cameras get ever smallerComputers and phones can be used for spyingInformation may leak further than you think(e.g. radio signals, displays, keyboards)

16

Human voice or video authenticationIt is still difficult to spoof humans

Remember the Turing test for artificial intelligence

Examples:Personal meetingCryptophone – human voice verification of the key exchange

Caveats:Computers are getting better at processing live voice and videoMeeting a person does not guarantee they are trustworthy

Authentication without trust or prior knowledge

17

18

Opportunistic security, leap of faithOpportunistic encryption: encrypt without authentication

Opportunistic IPsec (RFC 4322)STARTTLS with self-signed certificates

In leap of faith, the first key exchange is unauthenticated, then keys remembered

Secure Shell (SSH) – first introduced leap of faithHTTP strict transport security (HSTS) with self-signed certificates (self-signed not allowed in RFC 6797)

Idea: attacker is unlikely to be always on the line – but is this assumption safe nowadays?Dangers:

Leap of faith cannot be reused to recover from failure after the first authentication (e.g. changed SSH host key)Must be started by a human user, not triggered automatically by network traffic

Resurrecting ducking model for device pairingDevice associates to the first master it sees after reset

19

Self-certifying identifiersPublic key or its hash as entity identifierExamples:

Self-signed certificateCryptographically generated IPv6 addresses (CGA) HIP host identity (RFC 4423)

Hash of the data as object identifierExamples:

Self-certifying file systemBitTorrent and other P2P systems

20

ExercisesCan you design a secure key exchange protocol for connecting home computers to each other based on:

Trusted hub device e.g. the network gatewayUser-verified key exchangeLocation-limited audio channelLeap of faithSelf-certifying identifiers

What are the weaknesses in each solution?Learn about the Bluetooth pairing protocols Learn about the authentication of location updates in Mobile IPv6