Current standard implementations for security/authorization in distributed computing infrastructures
1. Current standard implementations for security/authorization in distributed computing infrastructures Michele Orrù – VincenzoCiaschini INFN-CNAF For the complete webinar (with sound) please go: http://www.ogfeurope.eu/tutorials.aspx
28. given M, it must be easy to calculate H(M) = h
29. given h, it must be difficult to calculate M = H-1(h)
30. given M, it must be difficult to find M’ such that H(M) = H(M’)A birthday attack is a name used to refer to a class of brute-force attacks. It gets its name from the surprising result that the probability that two or more people in a group of 23 share the same birthday is greater that 50%: such a result is called a birthday paradox. From many years Philippe Oechslin published a famous paper named “Making a Faster Cryptanalytic Time-Memory Trade-Off”: RainbowCrack is a general propose implementation of this paper. It can find collisions on MD5, SHA1, LM, NTLM hashes.
31. Digital Signature Suppose we have two users, Michele and Vincenzo, that want to communicate respecting principles such as Integrity and Non-repudiation Michele calculates the hash of the message Michele encrypts the hash using his private key: the encrypted hash is the digital signature. Michele sends the signed message to Vincenzo. Vincenzo calculates the hash of the message and verifies it with the one received by Michele and decyphered with Michele’s public key. If hashes equal: message wasn’t modified. Michele cannot repudiate it.
39. Online Certificate Status Protocol (OCSP): a service hosted by the CA which verifies the validity of the certificatesCA certificates are self-signed
41. Which CA can you trust in Grid? EUGridPMA(http://www.eugridpma.org/) “The EUGridPMA is the international organization to coordinate the trust fabric for e-Science grid authentication in Europe. It collaborates with the regional peers APGridPMA for the Asia-Pacific and The Americas Grid PMA in the International Grid Trust Federation. The charter document defines the group's objective, scope and operation. It is the basis for the guidelines documents on the accreditation procedure, the Authentication profile for X.509 secured "classic" certification authorities and other IGTF recognised Profiles". RPMs and DEB metapackages are available for almost every Linux distribution
50. X.509 Proxy Certificate On the Grid the user does not use his own long living certificate: security problems may arise. The solution is to use an X.509 Proxy Certificate (GSI extension to X.509 Identity Certificates). According to RFC 3820: “Use of a proxy credential is a common technique used in security systems to allow entity A to grant to another entity B the right for B to be authorized with others as if it were A. In other words, entity B is acting as a proxy on behalf of entity A.”
51. X.509 Proxy Certificate Has a limited lifetime Is signed by the normal end entity certificate or by another proxy Delegation = remote creation of a (second level) proxy credential Allows remote process to authenticate on behalf of the user
52. Virtual Organizations and VOMS To submit to the Grid, personal certificates are not the end of the story. Users MUST join at least one of the groups allowed to use the Grid resources = Virtual Organization (VO) VOMS (Virtual Organization Membership Service) extends the proxy info with VO membership, group and role.
56. Kerberos aims The user's password must never travel over the network; The user's password must never be stored in any form on the client machine; The user's password should always be encrypted in the authentication server database; The user is asked to enter a password only once per work session. Therefore users can transparently access all the services they are authorized for. This characteristic is known as Single Sign-On; Not only do the client have to prove that he is who he says, but, when requested, the application server must prove its authenticity to the client as well. This characteristic is known as Mutual authentication; Following the authentication and authorization phases, the client and server must be able to encrypt the connection. Kerberos provides support for the generation and exchange of an encryption key K'A to be used to encrypt data.
62. Authentication Server (AS): replies to the initial authentication request from the client, when the user, not yet authenticated, must enter his password.
63.
64. Kerberos operations: AS - AS_req: First user request (kinitcommand) - AS_rep: it contains the TGT ticket (encrypted using the TGS secret key) and the session key (encrypted using the secret key of the requesting user)
65. Kerberos operations: TGS - TGS_req: includes the TGT obtained from the previous message and an authenticator generated by the client and encrypted with the session key - TGS_rep: the requested service ticket (encrypted with the secret key of the service) and a service session key generated by TGS and encrypted
66. Kerberos operations: AP - AP_req: the service ticket (from TGS) with the previous reply and an authenticator generated by the client, but encrypted using the service session key - AP_rep: the reply that the application server gives to the client to prove it really is the server the client is expecting (only on Mutual Auth)
67.
68. kx509: standalone client that acquires a short-term X.509 certificate from the KCA and stores it in the local user;s Kerberos ticket file. The certificate can be used by PKI-aware applications trough the kpkcs11 library
72. BUT some authentication layers such as PAM on Unix systems, does not use the whole Kerberos auth process by default: they use a shortcut of the first step (see Kerberos operations: AS), trying to decrypt the AS_REP using the password provided by the user, completely ignoring the ticket-granting ticket (TGT).
73.
74. the replay attack requires the ability to listen on the network as well as the ability to send fake packets
75.
76.
77. The trust relationships between each node is ABUSEDAs we have discussed before, “Kerberos does not provide any guarantees if the machines or services being used are vulnerable”. Hijacking Kerberos tickets always starts compromising a kerberized system, and gaining root access to it.
78. Kerberos attack techniques Kerberos Hijacking: practical demonstration # ls -al /tmp/krb* -rw------- 1 vincenzo eng 383 Aug 28 08:19 /tmp/krb6bb_89763_AX98k3 <-- FREE ACCESS! # klist Ticket cache: FILE:/tmp/krb6bb_6425 <-- expected filename Default principal: michele@target Valid starting Expires Service principal 08/28/09 12:14:50 08/28/09 22:14:50 krbtgt/target@target renew until 09/05/07 12:14:39 Let change the file to the expected name run klist: # cp /tmp/krb6bb_89763_AX98k3 /tmp/krb6bb_6425 # klist Ticket cache: FILE:/tmp/krb6bb_6425 Default principal: vincenzo@target <---we are now Vincenzo! Valid starting Expires Service principal 08/28/07 08:19:42 08/28/07 18:19:42 krbtgt/target@target renew until 09/05/07 08:19:42
82. SAML is an OASIS XML-based standard for exchanging A&A data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions)
91. Java Authentication and Authorization Service (JAAS)and Java DataBase Connectivity (JDBC) used to interface the existent infrastructure with Shibboleth.
AES was announced by National Institute of Standards and Technology (NIST). May 26, 2002
VOMS allows distributed collaborations to centrally manage user roles and capabilities. The VOMS user credentials provide additional role and capability data to application service providers that can then be used to make more fully-informed authorization decisions.
MIT developed Kerberos to protect network services provided by Project Athena. The protocol was named after the Greek mythological character Kerberos (or Cerberus), known in Greek mythology as being the monstrous three-headed guard dog of Hades. Several versions of the protocol exist; versions 1–3 occurred only internally at MIT.
http://www.citi.umich.edu/projects/kerb_pki/
Timestamps : Time-based authenticators shrink the time window during which the authenticator can be reused.Ticket can be address-full, meaning that IP addresses for which tickets have been generated get embedded inside the ticket. Thus the server is able to verify these addresses against the connection source IP address. While it might represent a true challenge to enforce address-full tickets in a realistic environment, very few common services actually verify these addresses, in fact none in a Microsoft Windows environment and only KDC services under Unix environment.Replay cache : a server can store previously submit authenticators during their lifetime and detect their reuse. The last countermeasure is to use keyed cryptographic checksum in upper layer protocol using the session key (unknown by the replaying attacker).
Hijacking kerberos tickets always starts compromising a kerberized system, and gain root access: - privilege escalation - password sniffing - shoulder surfing
Key benefits:Relieves remote service providers from having to manage user lists for every institution that uses their servicesAllows "home institutions" to protect the identities of their users from remote service providersLeverages existing authentication systems at home institutionsFlexible, distributed architecture supports a variety of usage scenarios
Without AAI: - Different login processes - Often IP-based authorization - Many resources not protected due to difficulties With AAI: - Single login process for the users - Many new resources (that weren’t protected when AAI was not implemented) now become available for the users
Shibboleth is a Java web appWeb/application Servers supportedTomcat/jboss Apache + Tomcat/JbossIIS + Tomcat/JBoss