Published: 2001-08-19
This is an article about authentication systems. The target audience is PC end-users. Attempts have been made to make the text as readable, entertaining and educational as possible.
What do these security related sites..
..these commercial software vendors..
..and these Open Source project sites..
..have in common?
They have all suffered an unauthorised intrusion to their systems. Various sources seem to indicate they all fell victim to the same type of attack: a trusted path attack. You may have no idea what that means. An explanation follows:
You are standing guard. You work for Golden Arch, Inc. Your job is to control who goes through the golden arch. Every morning you are handed a sheet of paper with names of the people who are allowed to enter through the arch. For now, let us assume you do not need to worry where the sheet of paper comes from, or who people need to request access from: you can actually trust the names listed on this piece of paper.
A person approaches you. "Good morning," he says. "My name is Walt Disney." Looking at your sheet of paper you verify that Walt Disney is allowed entry, you write the current time on the sheet of paper next to Walt's name and you step aside.
Another person approaches you. "I am Samuel L. Jackson." Again you look at your list and find Samuel L. Jackson listed. Great. Write the current time on the sheet of paper. Let him in.
These are two examples of authentication. Authentication is the act of proving your identity. Walt and Samuel proved their identity to you, as is required by Golden Arch, Inc procedures, by stating their name at the gate. A successful authentication means they are allowed access.
(What Walt and Samuel do once they have authenticated is not up to us. That process is called authorisation. The man with the funny pants takes care of all that.)
This authentication scheme has some obvious weaknesses as you are probably aware. Suppose I approached you 10 minutes later. "I am Mel Gibson," I would lie. Since Mel Gibson is most certainly listed as having access, one of two things would happen:
or
I just fooled your authentication system. Of course the weakness is the method of how the proof of identity is supplied: by simply stating a name. Weak authentication. As you can see, very easily bypassed.
Going back to the realm of computers for a brief moment, you probably authenticate a number of times a day. Your desktop workstation, your network drive, your personal Hotmail or Yahoo account. You authenticate by stating your name and in addition, a password. Clearly, this type of scheme is much stronger than a name alone. Let us bring our newfound knowledge back to Golden Arch Inc.
Suppose Walt and Samuel were made to remember a password which they had to recite at the gate before being let them in, that would help. It would make it much more difficult for me to claim to be Mel Gibson. Now, a conversation with you, the guard, would look like this:
Me: Good morning. I am Mel Gibson. You: Good morning Mr. Gibson. May I have your password, please? Me: Uh, bugger.
I would at this point run away because you would probably get suspicious when I tried to guess Mel's password by giving you 10 incorrect passwords. However, next morning I return:
Me: Good morning. I am Mel Gibson. You: Good morning Mr. Gibson. May I have your password, please? Me: Lethal Weapon. You: That is correct, sir.
So you take note of the current time and let me enter!
Silly Mel. Picking such an obvious password. That was not a very clever thing to do. Even if I had not guessed it, there are methods I could employ to discover Mel's password. I could slip in behind him next time he authenticated so I could hear what his password was. I might find an old sheet of your paper with the list of names and passwords. That would really be bad.
The only way to really discover unauthorised persons is to present the list of recorded times to Mel and ask him to verify that he did indeed authenticate at the mentioned times. This is very time consuming, and Mel may not remember for certain when he authenticated. Last but not least, the damage would already have been done.
As you can hopefully see, the combination of user name and password is not 100% reliable. There is only one way to determine if this scheme is strong enough for your purpose. You will have to think about who might want to gain access to what you are protecting. If you chose a sufficiently non-obvious password, the user name+password scheme may suffice for protecting your personal email. Depending on the content of your in-box and how badly you do not want your partner to see this content, it may also not be.
Certainly if you are protecting, say, the source code to Windows or Half-Life 2, thermal nuclear weapons or similar, an authentication scheme based on static passwords would not suffice. It would be well worth the effort for someone to obtain your authentication data either by listening in or by stealing an old copy of the authentication information (referred to as 'credentials').
Golden Arch, Inc. have suffered from a number of unauthorised intrusions due to the weak authentication they employ. A lot of inventory has gone missing; source code has been stolen and published! Something has to be done or heads will roll.
A number of new authentication schemes are devised by the security team and proposed to management.
Proposal one changes the sheet given to you, the guard. The sheet will now include a name, a password and a photo. This means that now authentication will be based on something Mel has (a face) and something he knows (the password). This is called two-factor authentication. Although I am a handsome bastard, it would require quite an effort on my behalf to bypass this authentication scheme. I am not willing to change my face to get access to a copy of the script to Mad Max 7.
In the computing world, "something you know" and "something you have" is usually implemented via some sort of small device, say, a CryptoCard KT1 token. "Something you know", "Something you have" and "something you are" is called three factor authentication and usually involves a password, a hardwaren token as well as a type of biometric authentication. For now, we will focus on the token in two factor.
Time-based tokens such as RSA SecurID are syncronised with a central authentication system and also share a secret. This makes the token output a different number for every authentication attempt. An authentication session would look like this:
Username: holsta Password: ******** Token: 548318
The authorised user would be the only person who knows the password, and the token would responsd with a 6 digit figure that must be used to login. This information would be sent to the central authentication server where the password and token output would be verified, and if correct access is granted.
Tokens that are pin-protected contain a shared secret. Once unlocked by entering a pin, the token authentication session could also look like this:
Username: holsta Token: 548318
In this example, the user does not enter a password, only the pin on his token.
Bypassing this scheme would require knowledge of the password, and a way of predicting what number the token is going to display. As long as the token is prevented from falling into the wrong hands, and the central authentication system is secure, it would be infeasible to proceed with this attack.
Proposal one is very cheap to implement as it only requires a slightly modified sheet for the guard and the return is significant. Most of the work would be in taking the pictures. Management is happy. Management is even more happy when they read proposal number two. The second proposal indicates the security team is fully aware that certain aspects of what Golden Arch Inc does is much more sensitive than a script to a future Mad Max movie.
Some of these items are so valuable it is entirely reasonable to believe that some individuals would be willing to make the effort of either forcing the password out of poor Mel and sending in their own person who underwent surgery, or simply holding Mel's family hostage.
One of the buildings, the laboratory, with the most sensitive material is at the edge of the company owned area. Like the other entry points, it currently has access based on simple user names and passwords. Compared to the value of the items in this building, it would be a minimal effort for someone to attack this building either in the fashion described above or by forcing their way in.
In light of the work that goes on in the laboratory, the second proposal involves moving all the activity in this building to one which has much more restricted access making it more easily controlled. Personnel (and their families) with access to this building will be relocated to an enclosed village with armed patrols. This is serious business.
Paranoid as it may seem, the above is an attempt at illustrating how many different threats, through proper analysis and understanding, can be addressed and reduced. I also hope you have an understanding of what is involved in authentication.
I started this paper by talking about trusted path attacks, and I should like to return to the subject. As the name implies, this type of attack involves determining trust relationships between your target and lesser protected entities and exploiting these relationships. Already now you should have a better idea of what I am talking about compared to when you started reading.
Imagine if Golden Arch, Inc had a small hut or shed a few hundred yards outside their factory grounds. A powerful storm would probably cause serious damage to the thing. The windows are made of plain glass, the lock is not very strong and it appears old. Inside the shed there is a trapdoor to an underground tunnel. This tunnel leads directly into the Golden Arch Inc factory grounds, possibly right beneath where you stand guard every morning!
How do you feel about that! And as if that was not bad enough, the tunnel comes out inside a very important building. There is no guard standing with a sheet of passwords at the end of the tunnel. Nothing (other than that silly old lock) prevents anyone from using the tunnel to gain access to the Golden Arch, Inc. factory grounds.
(Perhaps the engineer who built the tunnel did it as a favour to a high-ranking manager, and they have both since moved on to different companies.)
Golden Arch Inc trusts that silly little shed. If someone were to gain access to the shed, they could trivially exploit this trust by walking along the tunnel, and find themselves having bypassed the fence, the guard, everything.
For Microsoft, this happened when an employees PC was compromised and a piece of remote control software was installed on it. The PC was part of a Virtual Private Network connected to Microsoft. Because of the weak authentication, the attackers were able to capture the authentication credentials entered by the employee and replay it to gain access to Microsoft's network via the PC. Had they used a 2 factor authentication scheme this would have been much more difficult, as there is no way to replay these credentials.
For Valve Software, that happened when someone used a vulnerability in Microsoft Outlook to install a keystroke logger on a developers machine. His username and password was used to attack more machines and steal a copy of the highly anticipated game, Half-Life 2.
What seems to have happened to the other sites I mentioned first in the article is that a user/developer logged on to each of the sites from a machine that had been compromised. The authentication used was again simple password and user name. These authentication credentials were easily captured and used to gain entry.
Everywhere. Most operatingsystems ship with weak authentication from the vendor. Corporations who should know better use weak authentication which makes it easy for attackers to jump between machines once they have managed to break into one.
Small businesses, individuals with home network connections and members of free software projects rarely bother with security requirements, and strong authentication is no exception. Most system access in these environments is still based on user names and passwords even though most operatingsystems have had free SSH implementations available for quite some time now.
SSH provides cryptographic access to systems, but as long as people stick to usernames and passwords, the problem remains. Use stronger authentication such as keyfiles, and use the authentication forwarding intelligently.
Two factor authentication needs to become much more commonplace. Either use a keyfile schema, a token or a smart card depending on your situation and resources available.
