Internet Security Applications • Chapter 4 137 How S/MIME Works In order to send an S/MIME secured message, both the sender and recip- ient must have an S/MIME-capable client such as Outlook, Outlook Express, or Netscape Communicator. Indeed, one of the advantages of S/MIME is that the sender and receiver of an e-mail do not need to run the same mail package. A list of products that have passed S/MIME inter- operability testing is available at www.rsasecurity.com/standards/smime/ interop_center.html. In addition, each user must obtain a digital certificate with a corresponding private key. S/MIME is a hybrid encryption system that uses both public and private key algorithms. Public key cryptography is too slow to use for encrypting bulk data, but it is difficult to distribute private keys securely without public key cryptography. In the S/MIME standard, public key cryptography is used for symmetric key exchange and for digital signatures. S/MIME requires the use of X.509 digital certificates discussed earlier in this chapter. The S/MIME specification recommends the use of three encryption algorithms: DES, Triple-DES, and RC2. The security of an S/MIME encrypted message largely depends upon the key size of the encryption algorithm. An interesting aspect of S/MIME is that the receiver, not the sender, of a message determines the encryption method used based on information provided in the digital certificate. Sending an S/MIME message involves several steps. First, someone wishes to send an encrypted e-mail that will be safe from eavesdroppers. The message is encrypted with a randomly generated symmetric session key. Next, this session key is encrypted using the recipient’s public key. This key was either previously exchanged or it was pulled from a directory such as an LDAP server. Next, the encrypted message, the session key, algorithm identifiers and other data are all packaged into a PKCS #7- formatted binary object. This object is then encoded into a MIME object using the application/pkcs7-mime content type. The message is then sent. When the message is received, the digital envelope is opened and the recipient’s private key decrypts the session key. The session key is then used to decrypt the message. The clear-text message can now be read. Thanks primarily to vendor support, S/MIME seems to be emerging as the e-mail security standard of choice. S/MIME also plays a key role in Microsoft’s Windows 2000/Exchange 2000 strategy. S/MIME and PGP both provide reliable and secure methods for encrypting e-mail. PGP’s trust model, until version 7.0, has relied on the web of trust security model. S/MIME, on the other hand, can take advantage of PKI and digital certificates, helping it to scale to much larger environments. www.syngress.com 115_MC_intsec_04 12/12/00 3:09 PM Page 137 138 Chapter 4 • Internet Security Applications S/MIME is also integrated into many e-mail clients, whereas PGP requires the user to download an application and install e-mail application plug-ins. Potential Security Risks with S/MIME To be effective, S/MIME must use an adequate key length and strong encryption algorithm like Triple-DES. Many times when sending e-mail among various S/MIME-enabled applications, the only common encryption format is 40-bit RC4. This is not a sufficient key length to provide even minimal security. For example, Bruce Schneier, a noted cryptographer, cre- ated an S/MIME screen saver that cracks 40-bit RC2 keys using idle CPU cycles. This would not be a plausible attack against Triple-DES. The screen saver is available at www.counterpane.com/smime.html. S/MIME has the same issues of trust as PGP. In order for secure com- munications to take place between a sender and recipient, you must have a level of assurance that you are encrypting to the correct public key. Like PGP, the secret key must be kept physically secure. Since S/MIME uses digital certificates, many of the same issues apply, especially the handling of CRLs. Understanding Kerberos Originally developed at MIT, the Kerberos authentication protocol is capable of providing strong authentication services in a distributed com- puting environment. Kerberos provides mutual authentication of both the client and server. With the inclusion of the Kerberos authentication protocol as the default authentication system in Windows 2000, interest in Kerberos and Kerberos application development have accelerated. For the purposes of this chapter, we will discuss version 5 of the Kerberos protocol, as the use of Kerberos version 4 is not generally recommended. The principal behind Kerberos is that a client and server do not neces- sarily trust each other, but both machines trust a Kerberos KDC. Kerberos provides a system of encrypted messages called tickets, which securely establish trust between two machines on a network. Using Kerberos, pass- words are never transmitted over the network, even in encrypted format. If a Kerberos ticket is intercepted, the ticket is still protected because it is encrypted. Once a client machine has a ticket to a particular server, the ticket is cached on the local machine until it expires, making Kerberos a very effi- cient authentication system. Depending upon the implementation, a Kerberos ticket usually expires after eight hours. By default, Kerberos uses DES symmetric key encryption. www.syngress.com 115_MC_intsec_04 12/12/00 3:09 PM Page 138 Internet Security Applications • Chapter 4 139 Kerberos Components A standard Kerberos implementation usually has the following components: Principal A computer, user, or entity that will be authenticated. Realm (Domain in Windows 2000) A logical grouping of principals that will be protected by Kerberos. All user accounts and protected resources reside within a Kerberos realm. Key Distribution Center (KDC) The portion of a Kerberos implementation that authenticates principals. The Key Distribution Center distributes secret keys and mediates between a client computer and a network resource to set up secure communications. Secret keys are stored on the Key Distribution Center. Ticket Granting Service (TGS) The Ticket Granting Service provides ses- sion tickets for accessing other resources in the Kerberos realm. The ticket granting service usually runs on the Key Distribution Center. Ticket Granting Ticket (TGT, or user ticket in Windows 2000) A secu- rity token that verifies that an entity has been authenticated. The TGT ensures that users will not need to reenter their passwords after an initial login, until the ticket expires. Session Ticket (ST, or service ticket in Windows 2000) A security token that allows a principal to access protected resources. A valid session ticket is required when accessing any Kerberos-enabled application. How Kerberos Works There are several functional steps that take place when a user authenti- cates to a Kerberos realm. First, a client requests a ticket from the Ticket Granting Service (TGS). Next, the server authenticates the client, and an encrypted ticket granting ticket (TGT) is sent back. This ticket is encrypted with the client’s secret key, which is stored in a database on the server. Table 4.3 details the contents of a Kerberos ticket. WARNING Secret keys generated for the Kerberos ticket exchange are stored on a KDC, so the physical security of this machine is vital. If a KDC is compro- mised, the whole network could be at risk. www.syngress.com 115_MC_intsec_04 12/12/00 3:09 PM Page 139 140 Chapter 4 • Internet Security Applications When the client accesses a protected resource on the network, a new request is sent to the Ticket Granting Service. During this request, the pre- viously obtained ticket granting ticket is presented and a session ticket is requested. A Session Ticket (ST) is generated by the TGS and is sent to the client. The session ticket is then presented to the protected server and access is granted. The session ticket is cached on the client for later use. The Kerberos authentication process is far more complex than what we have discussed here; however, the protocol is fast and efficient. In compar- ison, the user experience seems uneventful. After an initial authentication, usually in the form of entering a username and password, the rest of the process is transparent. When a Kerberos-enabled application (usually referred to as a Kerberized application) is launched, the authentication process happens without the user’s knowledge. In an environment with many Kerberized applications, single-sign-on (SSO) becomes a possibility. Unfortunately, there is still a relative lack of Kerberized applications. This will hopefully change in the future, with the inclusion of Kerberos 5 as the default authentication mechanism in Windows 2000. Table 4.3 Contents of a Kerberos Ticket Name of Field Contents of Field Ticket Version 5 Realm Name The name of the realm Server Name The name of the target server Flags The options for the ticket Key The session key Client Realm The initial realm that performed the authentication Client Name The name of the client Transited The names of the realm that have been crossed Authentication Time The time the ticket was created Start Time The time the ticket starts being valid End Time The time the ticket is no longer valid Renew Till Time The time the ticket absolutely expires Client Address The valid address(es) for the client Authorization Data The authorization data for the client Extensions An optional field for the use of application-specific data www.syngress.com 115_MC_intsec_04 12/12/00 3:09 PM Page 140 Internet Security Applications • Chapter 4 141 Comparing Kerberos and Windows 2000 As the popularity and use of Windows NT 4.0 grew in the marketplace, so did interest in securing Windows NT systems. By adding Kerberos authen- tication into Windows 2000, Microsoft has increased the security capability of the operating system immensely. NT LAN Manager (NTLM) is provided for backward capability but should be disabled as soon as all the clients on the network can authenticate using Kerberos. As long as NTLM is avail- able on the network, security is not at its strongest point. Several benefits provided by Kerberos make it a better choice than NTLM for authentication. Kerberos is based on existing standards, so it allows Windows 2000 to interoperate on other networks that use Kerberos v5 as their authentication mechanism. NTLM cannot provide this function- ality because it is proprietary to Microsoft operating systems. Connections to application and file servers are also faster when Kerberos authentication is used because the Kerberos server needs to examine only the credentials supplied by the client to determine whether access is allowed. The same credentials supplied by the client can be utilized for the entire network logon session. When NTLM is used, the application and file servers must contact a domain controller to determine whether access is allowed by the client. Kerberos authentication also provides authentication for both the client and server side, but NTLM provides authentication only of the client. NTLM clients do not know for sure that the server they are communicating with is not a rogue server. Kerberos is also beneficial for trusts. It is the basis for transitive domain trusts, and Windows 2000 uses transitive trusts by default with other Windows 2000 domains. A transitive trust is a two-way trust in which a shared interrealm key is created. The domains trust each other because they both have the shared key. Many consider Microsoft’s Kerberos implementation to be nonstandard, due to changes and extensions they made to the protocol. These changes primarily revolve around the marriage of Kerberos and public key tech- nology, which allow users to replace their secret key authentication with a public key. This enables authentication to a Windows 2000 domain with a smart card, something that is considerably more secure than a static pass- word. Additionally, Microsoft terminology is slightly different than what is used in a standard implementation. For example, a traditional Kerberos Realm is referred to as a domain (similar to an NT domain). The ticket granting ticket (TGT) is called a user ticket, and a session ticket is called a service ticket. These differences aside, the Windows 2000 version of Kerberos has been demonstrated to be interoperable under several sce- narios with the MIT Kerberos v5 distribution. www.syngress.com 115_MC_intsec_04 12/12/00 3:09 PM Page 141 142 Chapter 4 • Internet Security Applications Keep in mind that in a Windows 2000 environment, every domain con- troller is also a KDC. This means that secret keys are stored on the server, so the physical and logical security of these machines is important. Internet Information Services 5 (IIS 5), Internet Explorer 5, COM+, and SQL Server 2000 are all Kerberos-enabled. Potential Security Risks with Kerberos There are several elements that can impact the security of a Kerberos implementation, and a great deal of design work should be performed before implementation. The primary weakness of Kerberos is that it remains vulnerable to password guessing attacks. If users select weak www.syngress.com How Microsoft Kerberos Interoperates with Other Kerberos Implementations A key concern for managers planning to implement Windows 2000 into their existing networks that utilize Kerberos is the interoperability of the different flavors of Kerberos. Microsoft has tested various scenarios between Microsoft Kerberos and the MIT implementation of Kerberos. Their findings are: ■ Clients that are not Windows-based can authenticate to a Windows 2000 KDC. ■ Windows 2000 systems can authenticate to the KDC in an MIT-based Kerberos realm. ■ Windows 2000 client applications can authenticate to Kerberos services running on systems that are not Windows- based as long as the service supports the Generic Security Service-Application Programming Interface (GSS-API). Windows 2000 uses the Security Support Provider Interface that is compatible with the GSS-API. ■ Client applications on Kerberos systems that do not use Windows can authenticate to services on Windows 2000 sys- tems as long as the client application supports the GSS-API. ■ Windows 2000 domains can trust MIT-based Kerberos realms, and MIT-based Kerberos realms can trust Windows 2000 domains when everything is configured appropriately. 115_MC_intsec_04 12/12/00 3:09 PM Page 142 Internet Security Applications • Chapter 4 143 passwords, it is possible to collect tickets, decrypt them, and impersonate the user. Static passwords are typically the weakest point in any security system, as users generally do not pick strong passwords. The marriage of public key technology and Kerberos takes an important step toward addressing this weakness. Kerberos stores keys on the Kerberos server. This makes the security of the server an important consideration. Kerberos is also dependent upon a reliable time mechanism, so this may be a point of attack, especially for Denial of Service (DoS). Kerberos assumes that hosts have not been compromised. Essentially, the model is one of trusted hosts on an untrusted network. If ticket lifetimes are set too long, the protocol becomes weak by exposing a session ticket for too much time. If the ticket lifetime is too short, it can impact usability and performance. Certainly the use of DES in Kerberos may be cause for some concern, as DES is no longer considered a strong algorithm. Kerberos v5 allows for stronger encryption algorithms like Triple-DES, and this would be pre- ferred. Other issues I will mention in passing include the use of transitive trusts and the ability to forward tickets. Both may present implementation issues if not carefully considered beforehand. Summary In this chapter, we learned about several technologies that can help pro- vide basic security services including auditing, authentication, authoriza- tion, availability, confidentiality, integrity, and nonrepudiation. We learned that different security applications meet different security requirements. We discussed concepts of public and secret key cryptography. Secret key cryptography is generally used to secure large amounts of data, whereas public key cryptography is used mainly for securely distributing secret keys. The distribution and management of public keys can be facili- tated through PKI. We learned about digital signatures and how they are used to ensure data integrity. We also learned how digital signatures are tied to an indi- vidual through the use of digital certificates. There are still many legal and technical issues that need to be addressed before this technology can truly live up to its promise. Some technologies help provide end-to-end session-based security like SSH and SSL. SSL is the most common mechanism for securing Web- based transactions; SSH provides a secure alternative for otherwise vulner- able protocols like Telnet and FTP. www.syngress.com 115_MC_intsec_04 12/12/00 3:09 PM Page 143 144 Chapter 4 • Internet Security Applications Secure messaging and e-mail can be provided using applications like PGP and S/MIME. Both programs take very different approaches to the issue of trust. Finally, we learned about secure user authentication using Kerberos. Kerberos can greatly enhance the security of a network by providing mutual authentication of both clients and servers. Each one of these technologies meets different security needs, just as each comes with its own vulnerabilities and inherent limitations. FAQs Q: How can I be sure an application using encryption is really secure? A: The first question to answer about a product whose security is at least partially dependent upon encryption is whether the product in question is using an industry-accepted algorithm like Triple-DES. Products that use proprietary algorithms rarely provide adequate security. You should also examine whether adequate key sizes have been used. DES, for example, is an industry-accepted algorithm, but at 56-bits does not provide sufficient key length to offer more than moderate security. You also need to examine how keys are managed. For example, if a secret key is stored on a local system, is access to the key protected? Other details you need to examine include the use of random number genera- tion, use of hash functions, adherence to applicable standards like PKCS or FIPS (Federal Information Processing Standards), and overall system operation. It is important to remember that when evaluating the security of a product or system, you need to know not only how each piece works, but also how they fail. Q: Are there back doors in PGP? A: Over the years, there have been many rumors about alleged “back doors” in PGP that would allow a third party—like the National Security Agency (NSA)—to intercept any communications made with the pro- gram. These rumors have all proven to be false. Philip Zimmermann is still actively involved in the development of the program, and it is unlikely that deliberate back doors have been placed in PGP with his knowledge. This stated, you should always ensure that you are obtaining your copy of PGP from a trusted source, such as directly from NAI. For the overly paranoid, it is possible to download PGP in source code format, perform a thorough code review, and compile a verified program. Source code is available at www.pgpi.com. www.syngress.com 115_MC_intsec_04 12/12/00 3:09 PM Page 144 Internet Security Applications • Chapter 4 145 Q: Are there export restrictions on cryptographic software? A: The export of cryptographic technology was formerly categorized under the International Traffic in Arms Regulations (ITAR). ITAR classified encryption under the same category as munitions, a category that includes firearms, missiles, nuclear weapons, and chemical agents. Recently, controls on the export of cryptographic technologies have been somewhat (though not completely) relaxed. If you are planning on exporting cryptographic software, one of the best Web sites to check is the Bureau of Export Administration US Department of Commerce at www.bxa.doc.gov/encryption. Also, there is a worldwide cryptography law survey available at http://cwis.kub.nl/~frw/people/koops/ lawsurvy.htm. Q: What is AES and why is it important? A: The Advanced Encryption Standard (AES) will become a new Federal Information Processing Standard (FIPS) publication that will replace the aging DES algorithm. As a rule, I no longer consider products that use the DES algorithm to be secure. AES was planned with the idea that the algorithm would be secure for the next twenty to thirty years. The National Institute of Standards and Technology (NIST) recently spon- sored a contest to determine a single AES algorithm and announced Rijndael as the winner. Further information about AES is available at http://csrc.nist.gov/encryption/aes. Q: What are some issues I could face deploying e-mail encryption at my company? A: There are many issues you may encounter if you decide to deploy encrypted e-mail services in a corporate environment. Some of these issues are technical in nature, and some of them involve user educa- tion. For example, users must be trained to recognize when an e-mail is sensitive and when to use encryption. I personally have found that a typical user has a great deal of difficulty understanding public key cryptography and why you must have a certificate or public key before you can encrypt a message. I have also had users question why the use of PGP requires a passphrase to access the secret key ring. Aside from the “people issues” you will encounter, you may also have a regulatory or business need to archive e-mail. Without proper escrow services, you will not be able to access encrypted communications. Clearly, virus scanning of encrypted content is not possible. This issue will become more prominent as technology like S/MIME is widely deployed. www.syngress.com 115_MC_intsec_04 12/12/00 3:09 PM Page 145 115_MC_intsec_04 12/12/00 3:09 PM Page 146 [...]... 5 .4) www.syngress.com 163 115_MC_intsec_05 1 64 12/12/00 3:13 PM Page 1 64 Chapter 5 • Attacks That Await Your Network Figure 5 .4 TCP SYN flooding attack: Step 3 Station A 3 Internet Station C Station B 4 At this point Station B drops legitimate connections and is likely to hang/crash (see Figure 5.5) Figure 5.5 TCP SYN flooding attack: Step 4 Station A 4 Station B Internet Station C There is no widely accepted... network security is to identify what an attack or intrusion is Any action that violates the security policy of your organization www.syngress.com 115_MC_intsec_05 12/12/00 3:13 PM Page 149 Attacks That Await Your Network • Chapter 5 should be considered a threat, but broadly speaking, attacks and intrusions can be summarised as an exploitation of the following: s Poor network perimeter/device security. .. with Web browsers on the market Of course, in your travels you will most likely run across Microsoft’s Internet Explorer, so we will focus on that Internet Explorer has been found susceptible to many potential security flaws; the following examples are fairly common: 1 Cached Web Credentials A potential security risk that can occur if someone logs into a secure site that requires authentication IE will...115_MC_intsec_05 12/12/00 3:13 PM Page 147 Chapter 5 Attacks That Await Your Network Solutions in this chapter: s Identifying Types of Attacks s Protecting your Network from Specific Attacks s Choosing an Intrusion Detection Package 147 115_MC_intsec_05 148 12/12/00 3:13 PM Page 148 Chapter 5 • Attacks That Await Your Network Introduction Securing your corporate... perimeter/device security s Poor physical security s Application and operating software weaknesses s Human failure s Weaknesses in the Internet Protocol (IP) suite of protocols Before we look at these threats in more detail let me suggest that you assume a devious mind—it helps when it comes to learning about intrusion detection Poor Network Perimeter/Device Security This can be described as the ease... session This potentially could allow an intruder access between SSL connections and could allow them to disrupt or destroy data For more information on IE security bulletins, or Microsoft security bulletins in general, please visit www.microsoft.com/technet /security/ current.asp Getting Passwords: Easy Ways and Cracking Programs Most people have at one time or another created a simple password based on objects... Microsoft OS Older versions such as Windows 95 are affected, but the security issue was corrected prior to the release of Windows 98, so Windows 98 is not affected Windows NT resolved this issue with a service pack, and all later versions of the Microsoft OS are not affected (i.e., Windows Me and Windows 2000) Layer 3 /4 Attacks Layer 3 and Layer 4 attacks occur at the network and transport layers of the OSI... Station A 1 Internet Station B Station C 2 Station B sends back SYN/ACKs and maintains the half-opened connections in a queue as it waits for ACKs from the nonexistent hosts at the source addresses (see Figure 5.3) Figure 5.3 TCP SYN flooding attack: Step 2 Station A 2 Internet Station B Station C 3 Station B runs out of resources waiting for ACKs back from nonexistent hosts (see Figure 5 .4) www.syngress.com... to receive incoming faxes www.syngress.com 151 115_MC_intsec_05 152 12/12/00 3:13 PM Page 152 Chapter 5 • Attacks That Await Your Network Poor Physical Security There are simple security measures that can be taken in the physical world to ensure better security for your systems Locking your doors is obviously a good common-sense start, but there are often a number of simple procedures and safeguards... TCP retransmission time by 50 percent The aggressiveness of this behavior can be adjusted to fit security policy For further information on TCP SYN flooding, go to www.cert.org/advisories/CA-1996-21.html SMURF IP Spoofing Attack This is based on IP spoofing where multiple broadcast pings are sent out by Station C with Station A’s IP address as the source Station A could be overwhelmed with Internet Control . data www.syngress.com 115_MC_intsec_ 04 12/12/00 3:09 PM Page 140 Internet Security Applications • Chapter 4 141 Comparing Kerberos and Windows 2000 As the popularity and use of Windows NT 4. 0 grew in the marketplace,. vulner- able protocols like Telnet and FTP. www.syngress.com 115_MC_intsec_ 04 12/12/00 3:09 PM Page 143 144 Chapter 4 • Internet Security Applications Secure messaging and e-mail can be provided using. available at www.pgpi.com. www.syngress.com 115_MC_intsec_ 04 12/12/00 3:09 PM Page 144 Internet Security Applications • Chapter 4 145 Q: Are there export restrictions on cryptographic software? A: