Radius, LDAP, Radius, Kerberos used in Authenticating Users

Similar documents
Radius, LDAP, Radius used in Authenticating Users

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

CPSC 467b: Cryptography and Computer Security

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Authentication. Chapter 2

REMOTE AUTHENTICATION DIAL IN USER SERVICE

Overview. RADIUS Protocol CHAPTER

How to Integrate an External Authentication Server

Configuring Authentication, Authorization, and Accounting

(2½ hours) Total Marks: 75

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Configuring Request Authentication and Authorization

RADIUS - QUICK GUIDE AAA AND NAS?

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Configuring L2TP over IPsec

Network Access Flows APPENDIXB

Security issues in Distributed Systems

User Databases. ACS Internal Database CHAPTER

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

FAQ on Cisco Aironet Wireless Security

CS November 2018

CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management

Indicate whether the statement is true or false.

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Configuring Authentication Proxy

Trusted Intermediaries

AIT 682: Network and Systems Security

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Security: Focus of Control. Authentication

Cryptography and Network Security

Chapter 12. AAA. Upon completion of this chapter, you will be able to perform the following tasks:

Kerberos and Active Directory symmetric cryptography in practice COSC412

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Unit-VI. User Authentication Mechanisms.

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Security: Focus of Control

Cisco IOS Firewall Authentication Proxy

CSN11111 Network Security

Configuring Authentication Proxy

Application Note. Using RADIUS with G6 Devices

PPP Configuration Options

A Modified Approach for Kerberos Authentication Protocol with Secret Image by using Visual Cryptography

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Configuring RADIUS Servers

ISSN: EverScience Publications 149

The Kerberos Authentication Service

Lecture 08: Networking services: there s no place like

Wireless LAN Security. Gabriel Clothier

Kerberos MIT protocol

Table of Contents 1 AAA Overview AAA Configuration 2-1

Configuring Authentication Proxy

Top-Down Network Design

IMPLEMENTATION OF KERBEROS BASED AUTHENTICATED KEY EXCHANGE PROTOCOL FOR PARALLEL NETWORK FILE SYSTEMS IN CLOUD

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Configuring Switch-Based Authentication

Network security session 9-2 Router Security. Network II

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

CSCE 813 Internet Security Kerberos

Managing External Identity Sources

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Network Security (NetSec)

Security Setup CHAPTER

Configuring the CSS as a Client of a TACACS+ Server

Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

AAA Configuration. Terms you ll need to understand:

AAA and the Local Database

How to Configure Authentication and Access Control (AAA)

Identity Firewall. About the Identity Firewall

Information Security CS 526

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

TECHNOLOGY Introduction The Difference Protection at the End Points Security made Simple

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Operation Manual Security. Table of Contents

Network Security: Kerberos. Tuomas Aura

CSC 774 Network Security

Computer Security 3/20/18

Network Security. Kerberos and other Frameworks for Client Authentication. Dr. Heiko Niedermayer Cornelius Diekmann. Technische Universität München

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Single Sign-On Showdown

RADIUS Commands. Cisco IOS Security Command Reference SR

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Configuring Kerberos

Verteilte Systeme (Distributed Systems)

CHAPTER 3. ENHANCED KERBEROS SECURITY: An application of the proposed system

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Virtual Private Networks (VPNs)

Configuring Security Features on an External AAA Server

Configuring Content Authentication and Authorization on Standalone Content Engines

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Authentication CHAPTER 17

User Authentication. Modified By: Dr. Ramzi Saifan

Transcription:

CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos

Authentication and Authorization Previously Said that identification, authentication and authorization are critical to computer security, agree? There are two main forms of authentication Local user s machine Remote User joins a domain, logs in to a web service or other web interface Sometimes authentication happens behind the scenes by a program or computer acting on your behalf 2

The Authentication Process in General Most Cases The act of identifying users and providing network services to them based on their identity Mainly done through... Centralized authentication service 3

Authentication 1. Why do you want or need centralized authentication? 2. What are the advantages of having centralized authentication? 4

Centralized Authentication Why do I want Centralized Authentication? If I manage a domain of multiple machines and devices, want a way to manage users and accounts from one place, convenient and efficient What are the advantages of having centralized authentication? Do not configure changes on each separate network device when users are added or deleted, or change passwords Keep users and their credentials in one place Easier to manage and maintain consistency 5

User Authentication Basic authentication; User supplies username and password to access networked resources For the most part ignoring biometrics Users who need to legitimately access internal servers in a network must be added to access control lists (ACLs) 6

User Authentication Showing Roles 7

Client Authentication Same as user authentication but with additional time limit or usage limit restrictions Notion of paying for services When configuring, set up one of two types of authentication systems Standard sign-on system Specific sign-on system 8

Client Authentication 9

Session Authentication Required any time the client establishes a session with a server or other networked resource Has an element of time and idea of session expiration 10

Comparison of Authentication Methods 11

Centralized Authentication Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network Most common methods Kerberos TACACS+ (Terminal Access Controller Access Control System) RADIUS (Remote Authentication Dial-In User Service) Look at each of these. 12

Process of Centralized Authentication 13

Kerberos Authentication Service 14

Kerberos: etymology The 3-headed dog that guards the entrance to Hades The 3 heads represent the 3 A s Authentication Authorization Auditing Kerberos came from MIT about 1983 Now an open-source standard used in Mac-OS, Windows, some Linux and many Cisco routers 15

Kerberos Provides authentication and encryption through clients and servers Uses a Key Distribution Center (KDC) to issue tickets to those who want access to resources Used internally on Windows 2000/XP on up One major Advantage Passwords are not stored on local system Stored in central database 16

Design Requirements Interactions between hosts and clients should be encrypted Goals Wants to overcome Password Sniffing Password database stealing Protect against intercepted credentials, man-in-the-middle attack Must be convenient for users (or they won t use it). 17

Cryptography Approach Private Key: Each party uses Trusted same secret key to encode and decode messages Symmetric Cryptography Uses a trusted third party which can vouch for the identity of both parties in a transaction Security of third party is critical 18

Symmetric Key Cryptography Aka, Secret Key cryptography The same key is used for both encryption and decryption operations (symmetry) Examples: DES, 3-DES, AES DES Data Encryption Standard AES- Advanced Encryption Standard 19

How does Kerberos Work? Instead of client sending password to application server: Requests Ticket from Authentication Server Ticket and encrypted request sent to application server How to request tickets without repeatedly sending credentials? Ticket granting ticket (TGT) A special ticket which contains a session key for communication between the client machine and the central KDC server 20

Kerberos Authentication TGT = Ticket Granting Ticket 21

Kerberos Operation Slides use diagrams from: https://www.itprc.com/kerberos-authentication-works/ 1. Authentication service, or AS, receives the request by the client and verifies that the client is indeed the who he/she claims to be 2. Upon verification, a timestamp is created. Puts current time in a user session, along with an expiration date. Default expiration date of a timestamp is 8 hours. Encryption key is then created. Timestamp ensures that when 8 hours is up, the encryption key is useless. 22

Kerberos Operation 3. Key is sent back to client in form of a ticket-granting ticket, or TGT. This ticket is issued by authentication service. It is used for authenticating client for future reference. 4. Client submits ticket-granting ticket to the ticket-granting server, or TGS, to get authenticated by TGS 23

Kerberos Operation 5. When Client wants to access a service, TGS creates an encrypted key with a timestamp, and grants the client a service ticket 6. The client decrypts the ticket and then sends its own encrypted key to the service 24

Kerberos Operation 7. Service decrypts the key, and makes sure the timestamp is still valid. If it is, the service contacts the key distribution center to receive a session that is returned to the client 8. The client decrypts the ticket. If the keys are still valid, communication is initiated between client and server 25

Kerberos Authentication Overview 1. Client authenticates itself to the Authentication Server (AS) which forwards the username to a key distribution center (KDC) 2. KDC issues a ticket-granting ticket (TGT), which is time stamped and encrypts it using the ticket-granting service's (TGS) secret key and returns the encrypted result to the user's workstation 3. Done infrequently, typically at user logon; 4. TGT expires at some point although it may be renewed by the user's session manager while they are logged in 26

Advantages of Kerberos Authentication server keeps a centralized database storing the secret keys of the users and services Designed to be secure over insecure networks Resistant to attackers and eavesdroppers Symmetric key encryption is computationally efficient Kerberos centralizes authentication for an entire network rather than storing sensitive authentication information at each user s machine Data is only maintained in one presumably secure location 27

Disadvantages of Kerberos What are some disadvantages? Kerberos has a single point of failure: if the Key Distribution Center becomes unavailable, the authentication scheme for an entire network may cease to function If an attacker compromises the KDC, the authentication information of every client and server on the network would be revealed Kerberos requires that all participating parties have synchronized clocks, since time stamps are used. 28

TACACS and TACACS+ Terminal Access Controller Access-Control System (TACACS) is a protocol set Created and intended for controlling access to UNIX terminals Cisco created a new protocol called TACACS+, which was released as an open standard in the early 1990 s Not backwardly compatible with TACACS 29

TACACS+ Latest and strongest version of a set of authentication protocols for dial-up access (Cisco Systems) Provides AAA services Authentication Authorization Auditing Uses MD5 algorithm to encrypt data 30

TACACS+ TACACS lets client to accept username and password Sends query to TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD TACACS+ uses Transmission Control Protocol (TCP), reliable network protocol It determines whether to accept or deny authentication request and send a response back 31

TACACS+ An example is Cisco switch authenticating and authorizing administrative access to switch s IOS The switch is the TACACS+ client, and Cisco Secure ACS is the server. 32

TACACS+ Usage Today Device administration can be interactive with need to authenticate once, but authorize many times during a single administrative session in command-line of device A router or switch may need to authorize a user s activity on a per-command basis TACACS+ is designed to accommodate that type of authorization need. As name describes, TACACS+ was designed for device administration AAA, to authenticate and authorize users into mainframe and Unix terminals, and other consoles 33

RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management Uses UDP and transmits authentication packets unencrypted across the network Provides lower level of security than TACACS+ but more widely supported 34

Radius Components RADIUS includes three components: An Authentication server, Client protocols, and an Accounting server RADIUS server portion of protocol is usually a background process running on a UNIX or Microsoft Windows server 35

Radius History and Use RADIUS was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol Later became an Internet Engineering Task Force (IETF) standard Often used by Internet service providers (ISPs) and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport 36

Radius RADIUS uses two packet types to manage the full AAA process; Access-Request, which manages authentication and authorization; and Accounting-Request, which manages accounting. 37

Radius Steps 1. User or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. 2. In turn,nas sends a RADIUS Access Request message to RADIUS server, requesting authorization to grant access via RADIUS protocol 3. RADIUS server checks information is correct using authentication schemes such as PAP, CHAP or EAP 4. User's identification is verified 38

Radius Steps 5. The RADIUS server then returns one of three responses to the Network Access Server: 1) Access Reject, 2) Access Challenge, or 3) Access Accept. Access Reject The user is unconditionally denied access to all requested network resources. Access Challenge Requests additional information from the user such as a secondary password, PIN, token, or card. Access Accept The user is granted access. 39

Radius Using CHAP (Example) CHAP (Challenge-Handshake Authentication Protocol) is a more secure procedure for connecting to a system than the Password Authentication Procedure (PAP) Here's how CHAP works: 1. The client uses a hash function to calculate a specific value that is then sent to the server, which matches the incoming value against the server s calculated value, usually a password 2. If the values match, the client is granted server access. Otherwise, the connection is automatically terminated. PAP only does this once, CHAP does this repeatedly by sending challenge messages that change and that client must respond to Making sure client has not been replaced by intruder Also protects against replay attacks, since challenge value changes 40

Radius also use for Accounting Radius has built-in support for Session Accounting When network access is granted by NAS, Accounting Start packet is sent to RADIUS server to signal start of user's access "Start" records typically contain user's identification, network address, point of attachment and a unique session identifier When user's network access is closed, the NAS issues a final Accounting Stop record to RADIUS server, with final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access Purpose of this data is that the user can be billed accordingly and also used for network statistical purposes 41

TACACS+ and RADIUS Compared Strength of security Filtering characteristics Proxy characteristics NAT characteristics 42

Strength of Security Purpose: Device Administration Network Access Radius and TACACS+ http://etutorials.org/networking/wireless+lan+security/chapter+2.+basic+secur 43 ity+mechanics+and+mechanisms/authentication+and+identity+protocols/

LDAP Lightweight Directory Access Protocol Windows Active Directory is based on LDAP Active Directory is a directory of objects and provides single location for object management Queries to Active Directory uses the LDAP format Will cover Active Directory later... 44

Single Sign On (SSO) 45

Single Sign On Traditional Single Sign-On Allows a User to Login Once, Using a Single Authentication Method to Gain Access to Multiple Hosts and / or Applications May Also Provide Access Control / Authorization Features Authorization policies restrict which applications or systems a user has access And what the user can and can t do on these applications and systems 46

Traditional SSO: Pros and Cons Pros Very Easy to Use Reduces Support Costs Reduces Logon Cycles Cons Integration of Legacy Can Be Expensive and Time Consuming Single Point of Attack, attack the SSO host Scripting Solutions Often Lead to Storage of Passwords And IDs on the Client 47

Traditional SSO: How It Works Authenticate Once To Access Many Login Credentials (ID And Authentication) Usually Stored Locally Transparently presented to the System or Application When Needed User does not always know his/her credentials are being presented 48

Implementation of SSO SSO Implemented in Many Ways Kerberos is considered an SSO method Smart card technology is SSO OAuth from Google OpenID 49

Centralized Authentication Summary Overview of authentication and its importance to networks and system security Authentication server handles Username and password maintenance/generation Login requests Auditing Examples of centralized authentication systems: Kerberos TACACS+ 50 RADIUS

References TACACS+ https://www.networkworld.com/article/2838882/radius-versustacacs.html Radius https://en.wikipedia.org/wiki/radius Kerberos https://worldhack001.blogspot.com/2016/05/what-is-kerberos-and-his-advantagesand.html https://www.itprc.com/kerberos-authentication-works/ 51

The End See Assignments page for new assignment on Authentication 52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback