Network security # Lecture 2

CSC8 – NETWORK
SECURITY
KABUL EDUCATION UNIVERSITY
C O M P U T E R S C I E N C E D E P A R T M E N T
L E C T U R E R : I S L A H U D D I N J A L A L
M A S T E R I N C Y B E R S E C U R I T Y
9/16/2017 KABUL EDUCATION UNIVERSITY 1

Second week course outlines
Overview of network security
◦ Security Concerns of authentication
◦ Access Control
◦ Identification
◦ Authentication
◦ Authorization
◦ Identity Management
◦ Password and password management
◦ Kerberos

Class Policy
A student must reach the class-room in time. Late comers may join the class but are not entitled
to be marked present.
Attendance shall be marked at the start of the class and students failing to secure 75%
attendance will not be allowed to sit in final exam.
The assignment submission deadline must be observed. In case of late submission, ten percent
may be deducted from each day.
Those who are absent on the announcement date of the assignment/test. Must get the
topic/chapter of test/assignment confirmed through their peers.
Mobile phones must be switched-off in the class-rooms.

Grading Evaluation for Network Security
Internal Evaluation
Midterm Exam 20%
Attendance 5%
Assignment/Presentations 5%
Quizzes/Tests 10%
Total Internal Evaluation 40%
Final-term Examination
Final-term Exam 60%
Total Marks 100%

SECURITY CONCERNS
Key concerns are confidentiality and timeliness
◦ Prevent unauthorized access
◦ ensure freshness of data
To provide confidentiality, one must encrypt identification and session key
information
◦ This requires the use of previously shared private or public keys
Need timeliness to prevent replay attacks
◦ by using sequence numbers or timestamps or challenge/response

ACCESS CONTROLS
Security features that control how users and systems communicate and interact
with other systems and resources
Protect the systems and resources from unauthorized access, and monitor the
activities through:
◦ identification, authentication, authorization and accountability
Subject: Is an active entity that requests access to an object or the data within
an object
Object: A passive entity that contains information
Access: Is the flow of information between a subject and an object

IDENTIFICATION, AUTHENTICATION AND
AUTHORIZATION
• Identification
– Ensure that a subject (user, program, or process) is the entity it claims to be
– Identification can be provided with the use of a username or account number
• Authentication
– The subject is usually required to provide another method of credentials such as:
password, passphrase, cryptographic key, personal identification number (PIN),
biometrics, or token

IDENTIFICATION, AUTHENTICATION AND
AUTHORIZATION
•Authorization
–A process that grants or denies subject access to object
• Subject needs to be held accountable for the actions taken within
a system or domain. The only way to ensure accountability is
that, if the subject can be uniquely identified and the subject’s
actions are recorded
• Technical/logical access controls are tools used for identification,
authentication, authorization, and accountability

IDENTIFICATION AND AUTHENTICATION
Three general factors for authentication:
◦ Something a person knows: A password, PIN, mother’s maiden name, or
combination to a lock
◦ Something a person has: A key, swipe card, access card, or badge
◦ Something a person is: Unique physical attribute (biometrics)
Two-factor authentication
◦ Strong authentication contains more than one of these three methods

IDENTIFICATION AND AUTHENTICATION
Identification Requirements
◦ Each value should be unique, for user accountability
◦ A standard naming scheme should be followed
◦ The value should be non-descriptive of the user’s position or tasks
◦ The value should not be shared between users

IDENTITY MANAGEMENT
Automated products to identify, authenticate, and authorize subject
To manage individuals, their authentication, authorization, and privileges within
or across systems.
The objective is to increase security and productivity and decrease cost,
downtime and redundant tasks
E.g Lastpass, keepass, Password Safe (password manager) etc.

IDENTITY MANAGEMENT
Examples of technologies, services and terms related to identity management:
◦ Active Directory, Service Providers, Identity Providers, Web Services, Access control,
Digital Identities, Password Managers, Single Sign-on, Security Tokens, Security Token
Services (STS), Workflows, OpenID, WS-Security, WS-Trust, SAML 2.0, OAuth and RBAC
Common services provided
◦ Password synchronization and resetting
◦ Delegation of administrative tasks
◦ Centralized auditing and reporting
◦ Integrated workflow and increase in business productivity
◦ Regulatory compliance

PASSWORDS
A password is something the user knows
Passwords are one of the most used authentication mechanisms
It is important that the passwords are strong and properly managed
However, it is also the weakest security mechanisms

PASSWORD MANAGEMENT
System generated password should create uncomplicated, pronounceable, non-
dictionary words to help users remember them so that they aren’t tempted to
write them down
User generated password should contain a certain number of characters,
unrelated to the user ID, include special characters, include upper- and
lowercase letters, and not be easily guessable
Forced to change their passwords periodically

PASSWORD MANAGEMENT
•As a precaution to the users:
– A message can be presented to a user indicating the date and time of the last
successful logon, the location of this logon, and if there were any unsuccessful logon
attempts
– Certain number of failed logon attempts (clipping level) to be accepted before a user is
locked out
•Audit trail can also be used to track password usage and successful and
unsuccessful logon attempts

PASSWORD MANAGEMENT
Password attack techniques
◦ Electronic monitoring
◦ Listening to network traffics to capture information. The password can be
copied and reused by the attacker at another time, which is called a replay
attack
◦ Access to the password file
◦ Usually done at the authentication server. This file should be protected with
access control mechanisms and encryption

PASSWORD MANAGEMENT
Password attack techniques
◦ Brute force attacks
◦ Performed with tools that cycle through many possible character, number,
and symbol combinations to uncover a password.
◦ Dictionary attacks
◦ Files of thousands of words are used to compare to the user’s password
until a match is found
◦ Social engineering
◦ An attacker falsely convinces an individual that he/she has the necessary
authorization to access specific resources

PASSWORD CHECKERS
Test the strength of user-chosen passwords using tools that perform dictionary
and/or brute force attacks to detect the weak passwords
You need to obtain management’s approval before attempting the test
Password cracker: it is usually the same tool use by hackers to obtain password

PASSWORD HASHING AND ENCRYPTION
When password is sent to the network, it should not be sent in cleartext
Password should be hashed or encrypted before using
Picture Source: RAHUL THADANI

COGNITIVE PASSWORDS
A user is enrolled by answering several questions based on her life experiences
that she is not likely to forget
User answer the questions, instead of having to remember a password
This authentication process is best for a service the user does not use on a daily
basis because it takes longer than other authentication mechanisms

ONE-TIME PASSWORDS
Also called a dynamic password
Used for authentication purposes and is only used once (cannot be reused)
E.g.: Token device
◦ usually a handheld device that has an LCD display and possibly a keypad
◦ This hardware is separated from the computer that the user want to access
◦ Generate a one-time password to be entered by user when logging onto a
computer

ONE-TIME PASSWORDS
Two types of token device
◦ Synchronous token device
◦ Asynchronous token device

ONE-TIME PASSWORDS
•Synchronous Token Device:
– Usually requires a hardware called a security token, given to each user to generate a
one-time password.
– for e.g. a small calculator or a dongle with an LCD display that shows random numbers.
Inside the token is an accurate clock that has been synchronized with the clock on the
proprietary authentication server.
– the generation of new passwords is based on the current time

ONE-TIME PASSWORDS
Asynchronous Token Device:
Source: Certified Information Systems Security Professional
Token Device

ONE-TIME PASSWORDS
Both token systems can fall prey to masquerading if a user shares his
identification information (ID or username), or the token device is shared or
stolen
The token device can also have battery failure or other malfunctions
However, this type of system is not vulnerable to electronic eavesdropping,
sniffing, or password guessing
Two factors authentication is use:
• The user has to enter a password or PIN into the token device before it provides a
one-time password: Something the user knows (PIN) and something the user has
(the token device)

CRYPTOGRAPHIC KEYS
Use a private key or generate a digital signature
Private keys and digital signatures have higher security protection than
passwords
A private key is a secret value that should be in the possession of one person,
and one person only and it should never be disclosed to an outside party
A digital signature is a technology that uses a private key to encrypt a hash value
(message digest)

PASSPHRASE
•A sequence of characters that is longer than a password (thus a “phrase”), used
as password during an authentication process
•Passphrase is transform into a virtual password, with length and format that are
required for authentication
•Passphrase is more secure than a password because it is longer and likely to
remember than password
•E.g:
– “Gran Hewad Afghanistan"
– “Nangarhar hamesha Bahar”

ACCESS CRITERIA
Granting access rights to subjects based on the level of trust a company has in a
subject and the subject’s need to know
Five different access criteria
1. Roles
– An efficient way to assign rights to a subject who performs a certain task that is based
on a job assignment or function
2. Group
– Users that require the same access to resource are grouped and then assigning rights
and permissions to that group
– Easier to manage than assigning rights and permissions to each and every individual
separately

ACCESS CRITERIA
3. Physical or logical location
– Control object access for a subject that logs on interactively (locally) or remotely
4. Time of day
– Defining the time and duration where object access are available to subject (e.g. office
hour/off hour)
5. Transaction-type
– Access criteria can be used to control what object is accessed during certain types of
functions and what commands can be carried out on the object

DEFAULT: NO ACCESS
Access control mechanisms should default to no access, to provide the necessary
level of security and ensure that no security holes go unnoticed
If access is not explicitly allowed, it should be completely denied

NEED TO KNOW
Need-to-know principle is similar to the least-privilege principle
The concept that individuals should be given access only to the information that
they absolutely need in order to perform their job duties
Grant the least amount of privileges, but just enough for that individual to be
productive when carrying out tasks

ACCESS CONTROL PRACTICES
Regular tasks to ensure that security stays at a satisfactory level
◦ Deny access to systems by undefined users or anonymous accounts
◦ Limit and monitor the usage of administrator and other powerful accounts
◦ Suspend or delay access capability after a specific number of unsuccessful logon attempts
◦ Remove obsolete user accounts as soon as the user leaves the company
◦ Suspend inactive accounts after 30 to 60 days
◦ Enforce strict access criteria
◦ Enforce the need-to-know and least-privilege practices
◦ Disable unneeded system features, services, and ports

ACCESS CONTROL PRACTICES
◦ Replace default password settings on accounts
◦ Limit and monitor global access rules
◦ Ensure that logon IDs are non-descriptive of job function
◦ Remove redundant user IDs, accounts, and role-based accounts from resource access
lists
◦ Enforce password requirements (length, contents, lifetime, distribution, storage, and
transmission)
◦ Audit system and user events and actions and review reports periodically
◦ Protect audit logs
• Regular tasks to ensure that security stays at a satisfactory level

UNAUTHORIZED DISCLOSURE OF INFORMATION
Object reuse
◦ Reassigning to a subject, media that previously contained one or more objects
◦ Hard drive, floppy disk, or tape, it should be cleared from any residual information that
was on it previously
◦ Objects that are reused by computer processes, such as memory locations, variables,
and registers
◦ Storage media should be security label by owner, procedures of the media life cycle
should be define

Emanation Security
◦ All electronic devices emit electrical signals, these signal can be captured by attacker using
proper devices and at proper positions as data transmitted or processed
◦ Tempest: codename referring to spying on information systems through leaking
emanations, including unintentional radio or electrical signals, sounds, and vibrations.
◦ Shielding standards
◦ Standard that outlines how to develop countermeasures that control spurious electrical
signals that are emitted by electrical equipment by DOD
◦ Tempest equipment is implemented to prevent intruders from picking up information
through the airwaves with listening devices

White noise
◦ Is a uniform spectrum of random electrical signals, so that
intruder is not able to decipher real information
Control zone
◦ Facilities use material in their walls to contain electrical signals

ACCESS CONTROL MONITORING
Method of keeping track of who attempts to access specific network
resources
It is an important detection mechanism
e,.g. Intrusion detection system (IDS)
◦ The process of detecting an unauthorized use of, or attack upon a computer,
network, or telecommunications infrastructure
◦ To spot something suspicious/abnormal happening on the network and sound an
alarm by flashing a message on a network manager’s screen
◦ Can look for sequences of data bits that might indicate a questionable action or
event, or monitor system log and activity recording files
◦ The sensors collect traffic and user activity data and send it to an analyzer, which
looks for suspicious activity and sends an alert to the administrator’s interface on
any suspicious activity

KERBEROS
Kerberos: In Greek mythology, a many headed dog; the
guardian of the entrance of Hades
Image Source: MIT Kerberos

Kerberos
Network Authentication Protocol
Invented at M.I.T in the late 1980’s
Trusted Third Party key distribution system
Provides centralized third-party authentication in a distributed network
Allows users access to services distributed throughout network
Uses a key distribution Center (KDC)

KERBEROS
Users wish to access services on servers
Three threats exist:
◦ User pretend to be another user.
◦ User alter the network address of a workstation.
◦ User eavesdrop on exchanges and use a replay attack.

KERBEROS
S: Authentication Server
A: User machine
B: a server that hosted services
Kas and Kbs are examples of
session keys shared by the
entities A and B with S
S
A B
Kas
Kbs
• Basically, A wants to talk to B, with permission from S.

Kerberos
1. User A sends request to an Authentication Server S, asking to sign on to a service on a server B.
2. S checks that it knows the user A;
• S generates: (1) a session key Kab and
(2) a ticket for B //later on will be given to B;
Note: the password is never sent to S. S generates the secret key by
hashing the password of the user found at the database
),,,(,ticket BLnKE AabKB as
),,(ticket LAKE abKB bs

Note: Kbs is a secret key shared by B and S
• S sends the Kab to A, encrypted under the key Kas, which is derived from
the user’s password.
• S sends to A:
L=lifetime or
timestamp

Kerberos
A has:
3. A decrypts its part of the reply, and checks the nonce; Then sends ticket and
authenticator to B:
• Decrypt and get Kab and nonce,
• Compute Authenticator:
• A sends to B:
),,,(,ticket BLnKE AabKB as
),(torauthentica
),,(ticket
AK
abKB
TAE
LAKE
ab
bs


LnKBLnKD AabAabKas
,,),,,( 
),(torauthentica AK TAE ab


Kerberos
B has:
4. B decrypts the ticket with Kbs and obtains the session key Kab;
B checks that the identifiers, which is A in ticket and authenticator match,
that the ticket has not expired and that the time stamp is valid.
5. B returns time stamp TA encrypted under the session key Kab to client.
),(torauthentica
),,(ticket
AK
abKB
TAE
LAKE
ab
bs



Kerberos
Validity period for time stamps must consider the skew between the local clocks
of client and server.
Traditionally, Kerberos is deployed using ticket granting servers in conjunction
with an authentication server
S = KAS, TGS, A, B
◦ KAS authenticate principals at logon and issues tickets, which are valid for one login
session and enable principals to obtain other tickets from ticket granting server.
◦ KAS is sometimes called KDS, for key distribution centre
◦ A user first contacts an authentication server (KAS) to get a ticket granting ticket (TGT)
from a Ticket Granting Server (TGS).

Ticket Granting Servers
1. Request ticket granting
ticket
2. TGT is granted
3. Request server ticket
4. Server ticket
5. Service request
KAS
A B
TGS
1
2 3
4
5

DIFFERENCE BETWEEN VERSION 4 AND 5
• Encryption system dependence
– v4 requires DES algorithm
– v5 allows many encryption techniques
– Cipher text is tagged with encryption type id.
• Internet protocol dependence
– v4 requires the use of IP
– v5 allows other network protocols

DIFFERENCE BETWEEN VERSION 4 AND 5
• Ticket lifetime
– v4 encodes it in 8 bit quantity
– v5 allows explicit start and end times.
• Authentication forwarding
– v4 does not allow credentials issued to one client
– to be forwarded to other host for use by some other clients.
– v5 allows it.

KERBEROS – IN PRACTICE
• Currently have two Kerberos versions:
– v4 : restricted to a single realm
– v5 : allows inter-realm authentication, in beta test
– Kerberos v5 is an Internet standard
– specified in RFC1510, and used by many utilities
• Requirements to use Kerberos:
– need to have a KDC on your network
– need to have Kerberised applications running on all participating
systems
– major problem: US export restrictions, where Kerberos cannot be
directly distributed outside the US in source format (& binary
versions must obscure crypto routine entry points and have no
encryption)
– Alternatively, crypto libraries must be re-implemented locally

END
Thanks for hearing…………………….

Network security # Lecture 2

More Related Content

What's hot

Similar to Network security # Lecture 2

More from Kabul Education University

Recently uploaded

Network security # Lecture 2

Editor's Notes