Mechanics of User Identification and Authentication

Transcription

1 Mechanics of User Identification and Authentication Fundamentals of Identity Management DOBROMIR TODOROV A Auerbach Publications Taylor & Francis Group Boca Raton New York Auerbach Publications is an imprint of the Taylor St Francis Group, an informa business

2 Contents Acknowledgments About the Author About This Book xix xxi xxiii 1 User Identification and Authentication Concepts Security Landscape Authentication, Authorization, and Accounting Identification and Authentication Authorization User Logon Process Accounting Threats to User Identification and Authentication Bypassing Authentication Default Passwords Privilege Escalation Obtaining Physical Access Password Guessing: Dictionary, Brüte Force, and Rainbow Attacks Sniffing Credentials off the Network Replaying Authentication Downgrading Authentication Strength Imposter Servers Man-in-the-Middle Attacks Session Hijacking Shoulder Surfing Keyboard Loggers, Trojans, and Viruses Offline Attacks Social Engineering Dumpster Diving and Identity Theft 18 ix

3 x Contents 1.4 Authentication Credentials Password Authentication Static Passwords One-Time Passwords Asymmetrie Keys and Certificate-Based Credentials Biometrie Credentials Ticket-Based Hybrid Authentication Methods Enterprise User Identification and Authentication Challenges Authenticating Access to Services and the Infrastructure Authenticating Access to the Infrastructure Authenticating Access to Applications and Services Delegation and Impersonation Cryptology, Cryptography, and Cryptanalysis The Goal of Cryptography Protection Keys Symmetrie Encryption Asymmetrie Keys Hybrid Approaches: Diffie-Hellman Key Exchange Algorithm Encryption Data Encryption Standard (DES/3DES) Advanced Encryption Standard (AES) RC4 (ARCFOUR) RSA Encryption Algorithm (Asymmetrie Encryption) Data Integrity Message Integrity Code (MIC) Message Authentication Code (MAC) 61 2 UNIX User Authentication Architecture Users and Groups Overview Case Study: Duplicate UIDs Case Study: Group Login and Supplementary Groups Simple User Credential Stores UNIX Password Encryption The /etc/passwd File The /etc/group File The /etc/shadow File The /etc/gshadow File The /etc/publickey file The /etc/cram-md5.pwd File The SASL User Database The htpasswd File Samba Credentials The Kerberos Principal Database Name Services Switch (NSS) 84

4 Contents xi 2.4 Pluggable Authentication Modules (PAM) The UNIX Authentication Process User Impersonation Case Study: User Authentication against LDAP Preparing Active Directory PADL LDAP Configuration User Authentication Using NSS LDAP User Authentication Using PAM LDAP Case Study: Using Hesiod for User Authentication in Linux Windows User Authentication Architecture Security Principals Security Identifiers (SIDs) Users and Groups Case Study: Group SIDs Access Tokens Case Study: SIDs in the User Access Token User Rights Stand-Alone Authentication Interactive and Network Authentication Interactive Authentication on Windows Computers The Security Accounts Manager Database Case Study: User Properties Windows NT Local User Accounts Case Study: Group Properties Windows Local Group Accounts SAM Registry Structure User Passwords Storing Password Hashes in the Registry SAM File LM Hash Algorithm NT Hash Algorithm Password Hash Obfuscation Using DES SYSKEY Encryption for Storing Password Hashes in the SAM Case Study: The SYSKEY Utility, the System Key, and Password Encryption Key Threats to Windows Password Hashes Tools to Access Windows Password Hashes Case Study: Accessing Windows Password Hashes with pwdump LSA Secrets Case Study: Exploring LSA Secrets on a Windows NT 4.0 Domain Controller That Is an Exchange 5.5 Server Logon Cache Protected Storage Data Protection API (DPAPI) 200

5 xii Contents Credential Manager Case Study: Exploring Credential Manager Windows Domain Authentication Domain Model Joining a Windows NT Domain Computer Accounts in the Domain Domains and Trusts Case Study: Workstation Trust and Interdomain Trust SID Filtering across Trusts Migration and Restructuring Null Sessions Case Study: Using Null Sessions Authentication to Access Resources Case Study: Domain Member Start-up and Authentication Case Study: Domain Controller Start-up and Authentication Case Study: Windows NT 4.0 Domain User Logon Process Case Study: User Logon to Active Directory Using Kerberos Windows NT 4.0 Domain Model User Accounts Group Accounts and Group Strategies Authentication Protocols: NTLM and LM Trust Relationships Active Directory Active Directory Overview Logical and Physical Structure Active Directory Schema Database Storage for Directory Information Support for Legacy Windows NT Directory Services Hierarchical LDAP-Compliant Directory Case Study: Exploring Active Directory Using LDPEXE User Accounts in AD Case Study: User Logon Names in Active Directory Case Study: Using LDAP to Change User Passwords in Active Directory Case Study: Obtaining Password Hashes from Active Directory Group Accounts and Group Strategy in AD Case Study: Exploring the Effects of Group Nesting to User Access Token Computer Accounts in AD 270

6 Contents xiii Trees, Forests, and Intra-forest Trusts Case Study: User Accesses Resources in Another Domain in the Same Forest Trusts with External Domains Case Study: Exploring External Trusts Case Study: Exploring Forest Trusts Selective Authentication Case Study: Exploring Authentication Firewall and User Access Tokens Protocol Transition Federated Trusts Impersonation Secondary Logon Service Application-Level Impersonation Authenticating Access to Services and Applications Security Programming Interfaces Generic Security Services API (GSS-API) Kerberos Version 5 as a GSS-API Mechanism SPNEGO as a GSS-API Mechanism Security Support Provider Interface (SSPI) SSP Message Support Strong Keys and 128-bit Encryption SSPI Signing SSPI Sealing (Encryption) Controlling SSP Behavior Using Group Policies Microsoft Negotiate SSP GSS-API and SSPI Compatibility Authentication Protocols NTLM Authentication NTLM Overview The Concept of Trust and Secure Channels Domain Member Secure Channel Establishment Domain Controller Secure Channel Establishment across Trusts SMB/CIFS Signing Case Study: Pass-through Authentication and Authentication Piggybacking NTLM Authentication Mechanics Case Study: NTLM Authentication Scenarios NTLM Impersonation Kerberos Authentication Kerberos Overview The Concept of Trust in Kerberos Name Format for Kerberos Principals 389

7 xiv Contents Kerberos Authentication Phases Kerberos Tickets Kerberos Authentication Mechanics Case Study: Kerberos Authentication: CIFS Authorization Information and the Microsoft PAC Attribute Kerberos Credentials Exchange (KRB_CRED) Kerberos and Smart Card Authentication (PKInit) Kerberos User-to-User Authentication Kerberos Encryption and Checksum Mechanisms Case Study: Kerberos Authentication Scenarios Kerberos Delegation Simple Authentication and Security Layer (SASL) Kerberos IV GSS-API S/Key Authentication Mechanism External Authentication SASL Anonymous Authentication SASL CRAM-MD5 Authentication SASL Digest-MD5 Authentication SASL and User Password Databases Transport Layer Security (TLS) and Secure Sockets Layer (SSL) Hello Phase Server Authentication Phase Client Authentication Phase Calculate the Master Secret Calculate Protection Keys Negotiate Start of Protection Phase Resuming TLS/SSL Sessions Using SSL/TLS to Protect Generic User Traffic Using SSL/TLS Certificate Mapping as an Authentication Method Telnet Authentication Telnet Login Authentication Telnet Authentication Option FTP Authentication FTP Simple Authentication Anonymous FTP FTP Security Extensions with GSS-API FTP Security Extensions with TLS HTTP Authentication HTTP Anonymous Authentication HTTP Basic Authentication HTTP Digest Authentication 492

8 Contents xv HTTP GSS-API/SSPI Authentication Using SPNEGO and Kerberos HTTP NTLMSSP Authentication HTTP SSL Certificate Mapping as an Authentication Method Form-Based Authentication Microsoft Passport Authentication HTTP Proxy Authentication POP3/IMAP Authentication POP3/IMAP Password Authentication POP3/IMAP Piain Authentication POP3 APOP Authentication POP3/IMAP Login Authentication POP3/IMAP SASL CRAM-MD5 and DIGEST-MD5 Authentication POP3/IMAP and NTLM Authentication (Secure Password Authentication) SMTP Authentication SMTP Login Authentication SMTP Piain Authentication SMTP GSS-API Authentication SMTP CRAM-MD5 and DIGEST-MD5 Authentication SMTP Authentication Using NTLM LDAP Authentication Simple Authentication LDAP Anonymous Authentication LDAP SASL Authentication Using Digest-MD LDAP SASL Authentication Using GSS-API SSH Authentication SSH Public Key Authentication SSH Host Authentication SSH Password Authentication SSH Keyboard Interactive Authentication SSH GSS-API User Authentication SSH GSS-API Key Exchange and Authentication Sun RPC Authentication RPC AUTH_NULL (AUTH_NONE) Authenücaüon RPC AUTHJJNIX (AUTH_SYS) Authentication RPC AUTH_SHORT Authentication RPC AUTH_DES (AUTH_DH) Authentication RPC AUTH_KERB4 Authentication RPCSEC_GSS Authentication SMB/CIFS Authentication NFS Authentication Microsoft Remote Procedure Calls 56l 4.15 MS SQL Authentication MS SQL Authentication over the TCP/IP Transport 563

9 xvi Contents MS SQL Server Authentication over Named Pipes MS SQL Server Authentication over Multiprotocol MS SQL Server and SSL Oracle Database Server Authentication Oracle Legacy Authentication Database Legacy OracleNet Authentication Oracle Advanced Security Mechanisms for User Authentication MS Exchange MAPI Authentication SAML, WS-Security, and Federated Identity XML and SOAP SAML SAML and Web Single Sign-On Case Study: Web Single Sign-On Mechanics SAML Federated Identity Account Linking WS-Security Authenticating Access to the Infrastructure User Authentication on Cisco Routers and Switches Authentication to Router Services Local User Database and Passwords Centralizing Authentication New-Model AAA Authenticating Remote Access to the Infrastructure SLIP Authentication PPP Authentication Password Authentication Protocol (PAP) CHAP MS-CHAP Version 1 and Extensible Authentication Protocol (EAP) EAP-TLS EAP-TTLS Protected EAP (PEAP) Lightweight EAP (LEAP) EAP-FAST EAP-FAST Automatic Provisioning (EAP-FAST Phase 0) Tunnel Establishment (EAP-Phase 1) User Authenticaüon (EAP-FAST Phase2) Port-Based Access Control Overview of Port-Based Access Control EAPOL EAPOL Key Messages Authenticating Access to the Wireless Infrastructure Wi-Fi Authentication Overview WEP Protection 625

10 Contents xvii Open Authentication Shared Key Authentication WPA/WPA2 and IEEE 802.lli WPA/WPA2 Enterprise Mode WPA/WPA2 Preshared Key Mode (WPA-PSK) IPSec, IKE, and VPN Client Authentication IKE Peer Authentication IKE and IPSec Phases Preshared Key Authentication IKE Signature-Based Authentication IKE Public Key Authentication, Option IKE Public Key Authentication, Option IKE XAUTH Authentication and VPN Clients Centralized User Authentication RADIUS Overview The Model of Trust in RADIUS RADIUS Authentication Requests from Edge Devices RADIUS and EAP Pass-through Authentication TACACS Overview TACACS+ Channel Protection TACACS+ Authentication Process 684 Appendices A References 691 Printed References 691 Online References 692 B Lab Configuration 701 C Indices of Tables and Figures 705 Index of Tables 705 Index of Figures 709 Index 713