Outline. A Horde of Protocols. An Encouraging Message. Lots of Protocols = Lots of Problems. Implementation Flaws

Similar documents
CS 393 Network Security. Nasir Memon Polytechnic University Module 13 Virtual Private Networks

PPP Configuration Options

Network Access Flows APPENDIXB

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Wireless LAN Security. Gabriel Clothier

Chapter 10 Security Protocols of the Data Link Layer

User Authentication. Modified By: Dr. Ramzi Saifan

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

User Authentication. Modified By: Dr. Ramzi Saifan

A Secure Wireless LAN Access Technique for Home Network

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Crypto meets Web Security: Certificates and SSL/TLS

Ju-A A Lee and Jae-Hyun Kim

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Data Security and Privacy. Topic 14: Authentication and Key Establishment

SSL/TLS. Pehr Söderman Natsak08/DD2495

Windows authentication methods and pitfalls

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Implementing Cryptography: Good Theory vs. Bad Practice

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

PASSWORDS & ENCRYPTION

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Encryption. INST 346, Section 0201 April 3, 2018

Network Security. Chapter 10 Security Protocols of the Data Link Layer

Cheating CHAP. Sebastian Krahmer February 2, 2002

CSE 127: Computer Security Cryptography. Kirill Levchenko

A B S T R A C T. Index Terms: MPPE; PPTP; RC4; Cipher; VPN; MSCHAPv2 I. INTRODUCTION

CPSC 467b: Cryptography and Computer Security

How to Break EAP-MD5

Verifying Real-World Security Protocols from finding attacks to proving security theorems

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Chapter 4: Securing TCP connections

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Port-based authentication with IEEE Standard 802.1x. William J. Meador

CPSC 467: Cryptography and Computer Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Security: Cryptography

Analysis of VPN Protocols

Network Security and Cryptography. 2 September Marking Scheme

Introduction to Cyber Security Week 2: Cryptography. Ming Chow

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

MS-PPTP 1, 1. Abstract( )

Pre-exam 3 Review. Fall Paul Krzyzanowski Distributed Systems

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

TLS1.2 IS DEAD BE READY FOR TLS1.3

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Proving who you are. Passwords and TLS

More Attacks on Cryptography 3/12/2010

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Outline Key Management CS 239 Computer Security February 9, 2004

CSCE 715: Network Systems Security

IEEE 802.1X workshop. Networkshop 34, 4 April Josh Howlett, JRS Technical Support, University of Bristol. Copyright JNT Association

Authentication Handshakes

Cryptography and Network Security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Computer Networks & Security 2016/2017

CSC 474/574 Information Systems Security

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

ppp accounting through quit

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Security Handshake Pitfalls

Security Handshake Pitfalls

Goals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack

CS November 2018

Internet Engineering Task Force (IETF) Category: Standards Track March 2011 ISSN:

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

CSC 474/574 Information Systems Security

Security in IEEE Networks

Farewell Syskey! 2017 Passcape Software

BTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security

Hands-On Ethical Hacking and Network Defense 3rd Edition

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Virtual Private Network

Attack on Sun s MIDP Reference Implementation of SSL

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

SSL/TLS. How to send your credit card number securely over the internet

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Transport Layer Security

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Configuring L2TP over IPsec

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Secure Socket Layer. Security Threat Classifications

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Configuring OpenVPN on pfsense

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Lecture 1 Applied Cryptography (Part 1)

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

MZ Firmware Release Notes

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Transcription:

Outline Windows Protocol Analysis: MSCHAP & Friends Gros, Charles-Henri Haley, David Lisanke, Bob Schaff, Clovis Overview of Windows Security Issues Various Protocols and Problems Introducing MSCHAP MSCHAP to MSCHAP2 MSCHAP2 to PEAP Murϕ Models Lessons Learned An Encouraging Message A Horde of Protocols Wed Mar 10, 6:55 PM ET SEATTLE (Reuters) - Microsoft Corp. (Nasdaq:MSFT( - news) upgraded a recent security warning to "critical" after discovering new ways in which an attacker could run malicious software on a vulnerable computer, the world's largest software maker said on Wednesday. The software flaw, which affects the two latest versions of Microsoft's Outlook e-mail, e calendar and contacts program, were initially rated as "important" in Microsoft's monthly security bulletin issued on Tuesday. Transport Layers NetBIOS, NetBEUI, TCP/IP Protocols on top SMB, RPC, NetMeeting Many dialects of protocols SMB: PCNP1.0, LanMan 1.0/2.0, NT LM 0.12, CIFS Lots of Protocols = Lots of Problems Backwards compatibility between all various dialects More implementations: more potential for human error (incorrect code ) Most protocol weaknesses seem unrelated to the protocol itself Implementation Flaws Old friends like Buffer Overflows Holes in client-side code (ActiveX ) Poor crypto implementation might be easier to crack Programmer Laziness/Carelessness 1

Troubleshooting Humanware Windows empowers the user, less restrictive environment Easy for the unwary user to execute unwanted code (email virus) Convenience vs. Security (automatic parsing of HTML email, etc.) Uneducated user = highly vulnerable The Password Paradigm Completely and utterly depends on secrecy and strength of password Many ways to fool uneducated user into giving away password (impersonating administrators, etc.) Reused password = less secure Windows Protocols Hard to find current specifications Hard to tell off-hand why some services are running, others aren t Many are activated for unclear reasons (e.g. SQL server) To understand requires a competence which most end-users lack Where did all the specs go? Long time passing There seem to be no formal specs for CIFS (protocol for Windows file-sharing) Without a current and authoritative protocol specification, there is no external reference against which to measure the correctness of an implementation, and no way to hold anyone accountable. Since Microsoft is the market leader [ ] the behavior of their clients and servers is the standard against which all other implementations are measured. Christopher Hertel, http://www.ubiqx.org/cifs/smb.html Chosen Area: Point to Point Authentication Windows supports: Password Authentication Protocol CHAP: Challenge-Handshake Authentication Protocol MSCHAP: MS extensions to CHAP MSCHAP2: Fixes to MSCHAP Others (EAP, PEAP ) PAP: passwords transmitted in plaintext Acceptable before when networks were very small (MS)CHAP s major improvement: passwords no longer transmitted in plain text! Sounds good But CHAP does not specify which encryption algorithm to use. MSCHAP on the other hand, does. 2

CHAP Protocol Events & Background Authenticator Challenge Response Success / Failure Peer August 1996 RFC 1334: CHAP Oct 1998 RFC 2433: MSCHAP1 Jan 2000 RFC 2759: MSCHAP2 Nov 2001 1.4 Update to Win98 Dial-Up Up-Networking, implements MSCHAP2 Oct 2003: PEAP Internet Draft Protected Extensible Authentication Protocol. Combines TLS and MSCHAP2. Cryptanalysis of Microsoft s Point to Point Tunneling Protocol (PPTP) Schneier & Mudge (98) For Virtual Private Network, connection over TCP/IP link Microsoft s implementation breaks down: Authentication level = MS-CHAP Encryption = RC4 Point to Point Tunneling Protocol: data channel encapsulated in PPP packets; no protocol specification for security MS-PPTP: server under WinNT auth. options: clear password, or hashed, or challenge- response MS-PPTP Cryptanalysis Part 2 LanMan Hash Windows NT hash functions: LanManager hash based on DES; Win NT hash based on MD4 LM s hash is home-made made and weak: truncates password to 14-char string; converts lowercase to uppercase; splits 14-byte in two 7-byte 7 halves, giving two DES keys with keys, encr.. magic "KGS!@#$%" -> > 2 8-byte 8 strings concatenate those string : 16-byte hash value WinNT hash: 16-byte hash with MD4, no salt either MS-PPTP Cryptanalysis Part 3 MS-CHAP Challenge MS-CHAP Challenge-Response step: Authenticator Challenge: 8-byte random value Client side: for both LM and NT hash function 1. computes 16-byte hash value 2. Zero-Pad to get to 21-byte value -> > 3 7-byte 7 DES keys 3. encrypt challenge with each DES key 4. concatenate those 3 8-byte 8 values -> > 24-byte response Client Response: send back both values, with a flag MS-PPTP cryptanalysis Part 4 Challenge view Secret Password: P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 P 9 P 10 P 11 P 12 P 13 LM hash of the password: H 0 H 1 H 2 H 3 H 4 H 5 H 6 H 7 H 8 H 9 H 10 H 11 H 12 H 13 H 14 H 15 3 DES keys derived: K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 K 11 K 12 K 13 Challenge response: 3 DES encryptions of 8-byte challenge: R 0 R 1 R 2 R 3 R 4 R 5 R 6 R 7 DES (opt.) K 14 K 15 0 16 0 17 0 18 0 19 0 20 DES R 8 R 9 R 10 R 11 R 12 R 13 R 14 R 15 R 16 R 17 R 18 R 19 R 20 R 21 R 22 R 23 3

MS-PPTP cryptanalysis Part 5 Attack on MS-CHAP Cryptanalysis of MS-CHAP: Dictionary attack [LOpht[ proved it is efficient] Offline: pre-computed DES encryption of each likely values of P0 P6 and P7 P13 Given R 0 R 7 R 8 R 15 R 16 R 23 seen on link: 1. Retrieve K 14 and K 15 : average 2 15 DES ops. 2. for N 2 likely values of P 7 P 13 : (DES encr.. known) K 14 and K 15 retrieved : N 2 /2 16 DES trials max 3. for N 1 likely values of P 0 P 6 : K 7 retrieved : N 1 /2 8 DES trials max Cryptanalysis of MS-PPE: secret key also based on password The LOpht LOpht Crack on the LanMan Password Hash Creator: Mudge, Schneier s co-author of the article April 97, Electronic Engineering Times: Explanation of Mudge s motivations; Nash, MS director of marketing for Windows NT Server, answers back. Mudge would like to have MS policy on security changed; Nash claims enough internal beta-testing testing July 98, Windows &.NET magazine: NT Server Security Checklist excerpts Enforce strong password policy Use password crackers: The latest version of L0phtCrack is Microsoft's worst nightmare and every NT administrator's new best friend. Murϕ Modeling of CHAP (RFC 1994) (MS)CHAP1 Problems AUTHENTICATOR A_SLEEP A_LINKED 1) ClientHello 2) Session + Nonce PEER P_LINK P_WAIT_CHALLENGE CHAP and MSCHAP both suffer from man-in in-the-middle (no server authentication). Murϕ verified this. A_WAIT_RESPONSE 3) Session + {Session + Password + Nonce} hash 4) Success/Failure MSCHAP1: Failure_PasswordExpired forces bad LanMan hash to be sent P_WAIT_OK A_SUCCESS A_FAILURE P_SUCCESS P_FAILURE Thus Came MSCHAP2 MSCHAP2 addresses two points: Cryptography: uses SHA-1, MD4 Man-in in-the-middle partially solved: server authentication through client challenge Client sends its own challenge along with its response In success message server sends monster-hash back Thursday, March 11, 2004 Murϕ State Model: MS-CHAP 2 AUTHENTICATOR PEER A_SLEEP 1) ClientHello P_LINK 2) Session + Nonce1 A_LINKED A_WAIT_RESPONSE 3) Session + Nonce2 + NT_RESPONSE 4) Session + Success Failure + SERVER_RESPONSE P_WAIT_CHALLENGE P_WAIT_OK A_SUCCESS A_FAILURE P_SUCCESS P_FAILURE NT_RESPONSE = { H(N1 + N2 + Username) } pw_hash SERVER_RESPONSE = H( H(pw_hash), NT_RESPONSE, H(N2, N1, Username)) Page 1 4

MSCHAP2 To be able to generate response hash, one needs to have the plain-text or 1-step 1 hashed password available. According to Murϕ however there is still a man-in in- the-middle attack Solution: send server s s name in the hash MSCHAP2 still depends on password integrity! Microsoft decided to keep backwards compatibility with MSCHAP1 so the attacker can convince both the client and server to negotiate that instead! Modeling Procedure Modeled CHAP discovered basic attack (MitM( MitM) Modeled MSCHAP1 verified MitM, and that intruder could convince client to send LanMan hash Modeled MSCHAP2 but ran into a wall Modeling Difficulties Schneier article polluted first attempt. We knew what we wanted to show, so we designed the model to show it! Left out many possible intruder moves Model felt bad and was obviously incomplete Redesigned model to have a much more robust intruder. This confirmed MitM for MSCHAP2, which did not appear with weaker model Conclusions Hard to sort through morass of informal specifications MSCHAP2 seems to fix MSCHAP1 problems, but allows for version rollback attacks Murϕ seems adequate for this protocol However, the found attacks are obvious enough after having formalized the RFCs Conclusions, cont d MSCHAPv2: better crypto, but still only as secure as password Backwards compatibility removes much of the point of an upgrade both for MSCHAPv1 (LanMan( hash) and MSCHAPv2 (compatibility with v1) MSCHAPv1 mistake (poor hash) should have been avoided Improper, insufficient cryptanalysis Big problem with MSCHAPv1 is not the fault of the protocol itself MSCHAPv2: more robust crypto, but protocol is still flawed References RFCs http://www.zvon.org/tmrfc/rfc2759/output/index.html http://www.zvon.org/tmrfc/rfc2433/output/index.html http://www.zvon.org/tmrfc/rfc1994/output/index.html RFCs Schneier papers: http://www.schneier.com/paper-pptp.html pptp.html http://www.schneier.com/paper-pptpv2.html pptpv2.html 5

References, cont d MS Knowledge Base Articles 297816, 285189, 297840, 297818 MSDN: http://msdn.microsoft.com/library/en-us/wceeap/html us/wceeap/html/ cxconextensibleauthenticationprotocol.asp SMB/CIFS: What is SMB?,, Richard Sharpe, 2002, http://samba.org/cifs/docs/what-is is-smb.htmlsmb.html Implementing CIFS,, Christopher R. Hertel,, 2003, http://www.ubiqx.org/cifs www.ubiqx.org/cifs/ 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback