Secure Login Issues & Solutions Steve Parkinson Principal Engineer, Red Hat Certificate System
Agenda Login problems and corporate security Solutions LDAP solutions with Red Hat Directory Server PKI solutions with Red Hat Certificate System Smartcard management innovations Demo: Red Hat Certificate System and Axalto Cyberflex egate Smart Card
How to tackle authentication What are you trying to get from your authentication mechanism? high-assurance: tie a user with a browser to some real-world person low-assurance: establish base level of trust via user tracking What are you protecting? user's confidential data your content Relationship to the user customer, employee, contractor, partner, supplier What are the consequences if something goes wrong? lose your job stock price hit go to jail
Authentication vs Authorization Authentication = who are you Authorization = which systems can you access
Regulatory issues Regulatory compliance Increasing complexity Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA Accountability Need to reduce liability Non-repudiation (employees can't deny actions after the fact) Higher assurance for authentication and access Privacy Increasing need to restrict access to confidential information (e.g. VISA CISP) Banking (GLB), patient records (HIPAA), personal data (California Financial Information Privacy Act)
Problem: Too many passwords Applications like to maintain their own user repository. Solution Consolidate password database Choose applications which: Benefits Use PAM (most preferred) Support LDAP natively Use XYZ->LDAP gateways Synchronization tools (least preferred) Less maintenance overhead Users less likely to write password down Caveat: Consolidation exposes you to bigger risk
Problem: Dictionary attacks Weak passwords can be discovered Solution: Don't allow weak passwords use password policy to enforce string passwords Rate limiting (One-time-pin token) Caveats: Stronger passwords are more difficult to remember. The user is more likely to reuse them on other (external) systems. Rate limiting requires password checking to be coordinated among replicas.
Problem: Forgotten passwords Need to maintain helpdesk, policy and process for resetting passwords Significant cost Avenue for social engineering attacks Solution:???
Problem: Password Replay It is difficult for a user to figure out who to trust 85% of San Franciscans would give up their password for a free cup of coffee http://www.redherring.com/article.aspx?a=12025&hed=your+password+for+a+latte%3f Once given out, the secret can be replayed to another system Solution: Use a credential which is not susceptible to reuse Caveat: One-time-password tokens Kerberos PKI OTP tokens are still vulnerable to man-in-the-middle attacks
Problems: Kerberos Extranet/internet deployments difficult: require legal cooperation between the parties exposes one party to breaches in another Requires extra code: Must implement crypto algorithms securely Protocols must be adapted to support ticket passing Most cases still rely on passwords to get the initial ticket
Problems: PKI client-auth Educating the user is difficult Which parts of the cert/key are private? What on earth is going on? How do I login from another machine? Solution Improve the UI (e.g. the padlock) Remove references to 'certificate', 'key' Use smartcard/atm analogy
Problems: PKI application support All major webservers and browsers support SSL client-authentication IMAP, LDAP protocols support SSL client-authentication Other apps have poor support Solution: Red Hat will provide PKI support in more applications as time goes by Login VPN Browser Use PKInit to use PKI with kerberos-enabled applications A simple library for using LDAP, Kerberos, or PKI authentication
Demo: Certificate System and Axalto Cyberflex egate Smart Cards Certificate System 7.1 running on RHEL 3 Enterprise Security Client running on RHEL 4 ESC detects uninitialized token, displays custom enrollment UI from back end Cert System back end Updates applet Triggers key generation on token Constructs certificates, injects into token Firefox browser Recognizes token insertion and removal for client authentication Thunderbird email client Recognizes token insertion and removal for decryption
Questions What kind of applications do you have authentication problems with? What kind of identity management solution would meet your needs? What are you most urgent security issues?.... [ others ]