upon receiving on her ninety-second birthday the first copy of Why Buildings Stand Up, [my mother in law] said matter-of-factly, This is nice, but I d be much more interested in reading why they fall down. -- Mario G. Salvadori, Why Buildings Fall Down* * from Authentication: From Passwords to Public Keys by Richard E. Smith 1
Attacking Kerberos and the New Hadoop Security Design Andrew Becherer https://www.isecpartners.com
About Me Who are you? Senior Security Consultant at isec Partners Work in our application security consulting practice Based in Seattle What is this talk about? Kerberos introduction and practical attacks against common Kerberos deployment patterns A new Apache Hadoop Security Model Why should I care? If you have authenticated to another machine at work, you have probably used Kerberos You probably have data stored in Hadoop or have data about you stored in Hadoop, somewhere. 3
Agenda Kerberos Overview A Few Kerberos Attacks Did Kerberos Make Hadoop Safer? What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns One Alternative Strategy 4
Kerberos Overview
Kerberos Overview 6
Kerberos Overview 7
Kerberos Overview 8
Kerberos Overview 9
Kerberos Overview 10
Kerberos Overview 11
Kerberos Overview 12
Kerberos rules the Intranet Interoperable and standardized Most widely utilized and preferred protocol for authentication in large, centrally managed environments Windows Active Directory Networks Large educational networks on Unix/Linux Still being adopted in new places Hadoop Web Services Windows CardSpace (codenamed InfoCard) 13
Kerberos Etypes Based on research by isec Partner s Scott Stender.
Cryptographic Primitives Cryptographic Agility was a big driver for Kerberos v5 Etypes define the set of primitives to be used for cryptographic operations Examples include: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-md5 rc4-hmac-exp 15
Preauth 16
Preauth 17
Attacking Etype Negotiation How can an active attacker influence etype negotiation to his or her advantage? Lie to the server about client capabilities Downgrade initial anonymous AS-REQ Downgrade the authenticated AS-REQ Lie to the client about server capabilities Downgrade ERR PREAUTH REQUIRED and several others 18
Public Key Kerberos & Smart Cards Based on research by isec Partner s Brad Hill.
Basics of PKINIT 20
Basics of PKINIT 21
Trust Certificates must be issued by a specific root CA(s) Config file for Unix/Linux clients Registry and Active Directory for Windows clients Client certs must be issued by this authority and have the Smart Card Authentication Extended Key Usage (EKU) How is the KDC authenticated by the client? Check for id-pkinit-pkpkdc EKU in the KDC certificate? Maybe. 22
Require strict KDC validation * This policy setting controls the Kerberos client's behavior in validating the KDC certificate. If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dnsname subjectaltname (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAUTH store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. Yadda...yadda...yadda... * New in Vista SP1 23
If you disable or do not configure this policy setting, the Kerberos client will require only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions. 24
Computer Template 25
Match X.509 Subject in the Cert? MIT & Heimdal could check that the name is in the list of KDCs for the realm in /etc/krb5.conf, but don t Windows doesn t know who the DC / KDC is. It asks the network via a combination of insecure protocols: DNS SRV records NetBIOS Unauthenticated CLDAP Doesn t bother do to DNS to CNAME match, anyway DNSSEC won t save you On a sidenote Kerberos traffic is usually exempt from IPSEC policy (since it is used, with IKE, to bootstrap IPSec) 26
Elevation: MIT/Heimdal kinit+nfs 27
Windows Clients? Read: Attacking Kerberos Deployments by Rachel Engel, Brad Hill and Scott Stender 28
Kerberized Applications Based on research by isec Partner s Rachel Engel.
Punchline Replay Attacks Kasslin, Tikkanen, Virtanen. Kerberos V Security: Replay Attacks Mutual Authentication or Lack Thereof Mutual authentication means, at best, I have a session key with my friend designated by this Service Principal Name (SPN). Packet Integrity or Lack Thereof Packet Privacy or Lack Thereof 30
New Hadoop Security Design Andrew Becherer https://www.isecpartners.com
Conclusion Did Hadoop Get Safer?
Conclusion It is a foundation. 33
What is Hadoop? HDFS and MapReduce Simplified View Who Is Using It
HDFS and MapReduce Data model alternatives to SQL are in demand. 35
HDFS and MapReduce Data Nodes & the Name Node Data Access Job Tracker Job Submission Task Tracker Work Optional other services Workflow managers Bulk data distribution 36
Simplified View User Job Tracker Task Tracker Task Tracker Task Task HDFS HDFS 37
Who is Using It 38
Hadoop Risks Insufficient Authentication No Privacy & No Integrity Arbitrary Code Execution What Does It Mean?
Insufficient Authentication Hadoop did not authenticate users Hadoop did not authenticate services 40
No Privacy & No Integrity Hadoop used insecure network transports Hadoop did not provide message level security 41
Arbitrary Code Execution Malicious users could submit jobs which would execute with the permissions of the Task Tracker 42
What Does It Mean? Alice has access the Hadoop cluster Bob has access the Hadoop cluster Alice and Bob have to trust each other completely If Mallory gets access to the cluster 43
What Does It Mean? Alice Bob 44
The New Approach Kerberos Delegation Tokens New Workflow Manager Stated Limitations
Kerberos This update integrates Hadoop with Kerberos, a mature open source authentication standard. * Users authenticate to the edge of the cluster with Kerberos (via GSSAPI) Users and group access is maintained in cluster specific access control lists See Attacking Kerberos Deployments from Black Hat USA 2010 by Scott Stender, Brad Hill and Rachel Engel * http://developer.yahoo.com/hadoop/ 46
Delegation Tokens To prevent bottlenecks at the KDC Hadoop uses various tokens internally. Delegation Token Job Token Block Access Token Simple Authentication and Security Layer (SASL) with a RPC Digest mechanism 47
Stated Limitations The degradation of GridMix performance should be no more than 3%. Users will not have access to root accounts on the cluster or on the machines that are used to launch jobs. HDFS and MapReduce communication will not travel on untrusted networks. Source: Hadoop Security Design by Owen O Malley, Kan Zhang, Sanjay Radia, Ram Marti, and Christopher Harrell of Yahoo! 48
Concerns Quality of Protection (QoP) Symmetric Cryptography Keys Exposed Pluggable Web UI Authentication IP Based Authentication
Quality of Protection (QoP) Authentication Integrity Privacy 50
Symmetric Cryptography Block Access Tokens are used to access data TokenAuthenticator = HMAC-SHA1(key, TokenID) A secret key must be shared between the Name Nodes and Data Nodes 51
Pluggable Web UI Authentication There are multiple web Uis Oozie Job Tracker Task Tracker No standard HTTP authentication mechanism! 52
IP Based Authentication HDFS proxies use the HSFTP protocol for bulk data transfers HDFS proxies are authenticated by IP address 53
One Alternative Strategy Tahoe
Tahoe - A Least Authority File System Deserves its own talk Aaron Cordova gave one at Hadoop World NYC 2009 Disk is not trusted Network is not trusted Aaron intended this for use in Infrastructure as a Service cloud computing environments Write performance is severely impacted but read performance is not as heavily impacted 55
More Likely Alternative Network Segmentation
Accept the Limitations Use network segmentation to prevent unauthorized access to Hadoop resources 57
Thank you for coming! andrew@isecpartners.com 58