Computer Networks II, advanced networking

Similar documents
Part II. Raj Jain. Washington University in St. Louis

TSIN02 - Internetworking

TSIN02 - Internetworking

TSIN02 - Internetworking

Network Access Flows APPENDIXB

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

RADIUS - QUICK GUIDE AAA AND NAS?

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 494/594 Computer and Network Security

Password. authentication through passwords

AUTHENTICATION AND LOOKUP FOR NETWORK SERVICES

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Network Security and Cryptography. 2 September Marking Scheme

Cryptography and Network Security. Sixth Edition by William Stallings

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

The OpenSSH Protocol under the Hood

Network security session 9-2 Router Security. Network II

CSC 474/574 Information Systems Security

Diameter. Term Paper Seminar in Communication Systems. Author: Christian Schulze Student ID: Date: February 4, 2003 Tutor: Martin Gutbrod

Keywords Session key, asymmetric, digital signature, cryptosystem, encryption.

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

RESTCOMMONE. jdiameter. Copyright All Rights Reserved Page 2

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Once all of the features of Intel Active Management Technology (Intel

Exercises with solutions, Set 3

Radius, LDAP, Radius used in Authenticating Users

Firewalls, Tunnels, and Network Intrusion Detection

CSCE 813 Internet Security Secure Services I

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Verifying Real-World Security Protocols from finding attacks to proving security theorems

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Configuring Security for the ML-Series Card

CSCE 715: Network Systems Security

Computer Networks. Wenzhong Li. Nanjing University

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Security Handshake Pitfalls

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Authentication Handshakes

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

AAA Working Group Pat R. Calhoun

REMOTE AUTHENTICATION DIAL IN USER SERVICE

Overview. RADIUS Protocol CHAPTER

Authenticating on a Ham Internet

CS Computer Networks 1: Authentication

CSC 474/574 Information Systems Security

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Authentication. Chapter 2

Protocol Comparisons: OpenSSH, SSL/TLS (AT-TLS), IPSec

Security Handshake Pitfalls

Scalable and Interoperable DDS Security

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Offline dictionary attack on TCG TPM weak authorisation data, and solution

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

Key Management and Distribution

Wireless LAN Security. Gabriel Clothier

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5

Encryption. INST 346, Section 0201 April 3, 2018

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Cisco Systems 5760 Wireless LAN Controller

Cryptography V: Digital Signatures

Chapter 4: Securing TCP connections

CLIENT SERVER SYNERGY USING VPN

Cryptography V: Digital Signatures

APNIC elearning: Cryptography Basics

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Kerberos and Single Sign On with HTTP

HP Instant Support Enterprise Edition (ISEE) Security overview

Session key establishment protocols

Session key establishment protocols

CPSC 467: Cryptography and Computer Security

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Chapter 6: Security of higher layers. (network security)

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

UNIT - IV Cryptographic Hash Function 31.1

Host Identity Protocol. Miika Komu Helsinki Institute for Information Technology

GSS-REST, a Proposed Method for HTTP Application-Layer Authentication

Table of Contents. Diameter Base Protocol -- Pocket Guide 1

Request for Comments: 5422 Category: Informational H. Zhou Cisco Systems March 2009

HOST Authentication Overview ECE 525

Cryptography - SSH. Network Security Workshop May 2017 Phnom Penh, Cambodia

Network Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System

Cryptography - SSH. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Radius, LDAP, Radius, Kerberos used in Authenticating Users

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

(2½ hours) Total Marks: 75

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Security Setup CHAPTER

Mobility support in RADIUS and Diameter

Transcription:

Computer Networks II, advanced networking AAA II What is AAA Harri Toivanen 11.11.2004

AAA What today? Authentication methods Weak Authentication Radius Diameter

Authentication methods Authentication methods with some properties IP-address Can be easily forged User ID and password Without encryption under can be easily stolen The people willingly choose easy to remember passwords and so easy to guess passwords One time passwords will make much stronger

Authentication methods Authentication methods with some properties (cont.) Challenge response In general case can be used to prove some characteristic like humanity Shared secret (cryptographic: symmetric key) Cannot prove individual user Proves to be a member of a certain group

Authentication methods Authentication methods with some properties (cont.) Asymmetric keying / public key cryptocraphy An individual player can be identified The methods are assumed to be hard to solve without actual private key New mathematic methods can be found to break the used methods

Weak Authentication Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties J. Arkko and P. Nikander Proceedings of Security Protocols Workshop 2002, Cambridge, UK, April 16-19, 2002 http://www.tml.hut.fi/~pnr/publications/cam2002b.pd f

Weak Authentication Abstract This paper discusses "weak authentication" techniques to provide cryptographically strong authentication between previously unknown parties without relying on trusted third parties. There is already in use several technques using 'Weak Authentication'

Weak Authentication Categories of techniques Spatial Separation Ability of a node to ensure that its peer is on a specific communications path Temporal Separation The general ability of the peers to relate communications at time t l to some earlier communications at time t 0

Weak Authentication Categories of techniques (cont.) Asymmetric Costs Usually it is easier for the attacker to find a single security hole than for the defender to block all holes Fortunately, this asymmetric situation can sometimes be reversed and used to the defenders' advantage Application Semantics Certain applications may offer particular semantics that can be employed to produce weak forms of authentication

Weak Authentication Categories of techniques (cont.) Combined and Transitive Techniques The techniques presented above can be combined Web-of-trust models and information from neighbours could potentially be used together

Weak Authentication Some Concrete Techniques Anonymous Encryption unauthenticated Diffie-Hellman key exchange Challenge-Response Challenge-response techniques can be used to ensure freshness and, under certain assumptions, that the peer is on a specific path towards the given address It is therefore typically used to ensure spatial separation.

Weak Authentication Some Concrete Techniques Leap-of-Faith Leap-of-faith is another method based on temporal separation, but it also encompasses aspects from spatial separation and asymmetric cost war It has been successfully employed, e.g., in the SSH protocol

Radius Remote Authentication Dial In User Service (RADIUS) is defined in RFC 2865 It is intented to authenticate dial-in-access customers It is a client server protocol, where a Network Access Server (NAS) is a client and Radius Server is a server The security of Radius is based on pre-shared secret

Radius There can be more than one server serving one client A server can act as a proxy Technically Radius is based on UDP messages because of effeciency reasons No keep-alive signalling is desirable

Radius It has the following signals defined: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved

Radius Radius server Radius server IP-network client POTS NAS Radius server

Diameter Diameter Base Protocol is defined in RFC 3588 It provides the following facilities: Delivery of AVPs (attribute value pairs) Capabilities negotiation Error notification Extensibility, through addition of new commands and AVPs Basic services necessary for applications, such as handling of user sessions or accounting

Diameter It is using TCP and SCTP for transportation It can be secured with IPSEC and TLS End-to-end security is strongly recommended, but not requested It is based on request answer signal pairs In the Diameter network there can be Clients, Relays and Servers and relay, proxy, redirect, and translation agents

Diameter Connections vs. Sessions +--------+ +-------+ +--------+ Client Relay Server +--------+ +-------+ +--------+ <----------> <----------> peer connection A peer connection B <-----------------------------> User session x

Diameter Relaying of Diameter messages +-------+ ---------> +------+ ---------> +-------+ 1. Request 2. Request NAS DRL HMS 4. Answer 3. Answer +-------+ <--------- +------+ <--------- +-------+ example.net example.net example.com

Diameter Redirecting a Diameter Message +-------+ DRD +--------+ ^ 2. Request 3. Redirection Notification v +-------+ ---------> +--------+ ---------> +--------+ 1. Request 4. Request NAS DRL HMS 6. Answer 5. Answer +-------+ <--------- +--------+ <--------- +--------+ example.net example.net example.com

Diameter Translation of RADIUS to Diameter +-------+ --------------> +------+ --------------> +--------+ RADIUS Request Diameter Request NAS TLA HMS RADIUS Answer Diameter Answer +-------+ <---------------- +------+ <-------------- +--------+ example.net example.net example.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback