OTP II Project PresentationOTP II Project Presentation

Roman Kecher (Roman Kecher (roman.kecher@gmail.comroman.kecher@gmail.com))Ophir Etzion (Ophir Etzion (ophir86@gmail.comophir86@gmail.com))

Supervised by: Zeev Schneider (Supervised by: Zeev Schneider (zeev@technion.ac.ilzeev@technion.ac.il))

Software Lab, EE Technion. 08-02-2009Software Lab, EE Technion. 08-02-2009

IntroductionIntroduction

Remote Authentication Dial In User Remote Authentication Dial In User Service (RADIUS) is a networking protocol Service (RADIUS) is a networking protocol that provides centralized access for people that provides centralized access for people or computers to connect and use a or computers to connect and use a network service.network service.

In the user’s authentication process we In the user’s authentication process we would like to use a One Time Password would like to use a One Time Password (OTP) for security reasons.(OTP) for security reasons.

The OTP Concept (or, OTP I)The OTP Concept (or, OTP I)

The idea is to use a different, one time, The idea is to use a different, one time, password each time a password is password each time a password is required.required.

The OTP is created using a cryptographic The OTP is created using a cryptographic hash function (which is one-way) MD5, on hash function (which is one-way) MD5, on a string built from known parameters that a string built from known parameters that are updated each time, thus providing a are updated each time, thus providing a different hash each invocation.different hash each invocation.

Solution CharacteristicsSolution Characteristics

Internet Authentication Service (IAS) is Internet Authentication Service (IAS) is Microsoft’s implementation of RADIUS.Microsoft’s implementation of RADIUS.

IAS allows any developer to write custom IAS allows any developer to write custom extensions to the authentication process.extensions to the authentication process.

Our solution is an extension to the IAS that Our solution is an extension to the IAS that allows a user to authenticate with an OTP allows a user to authenticate with an OTP instead of his static, fixed password.instead of his static, fixed password.

OTP IAS ExtensionOTP IAS Extension

The IAS communicates with an Active The IAS communicates with an Active Directory (AD) server that stores all users Directory (AD) server that stores all users data.data.

Our OTP data is stored in that very same Our OTP data is stored in that very same AD and fetched by the extension, prior to AD and fetched by the extension, prior to computing the current OTP.computing the current OTP.

After a successful connection attempt, the After a successful connection attempt, the OTP data in the AD is updated in order to OTP data in the AD is updated in order to get a different OTP next time around.get a different OTP next time around.

How does it look?How does it look?

Cellphone with “OTP I”: Java applet to produce current OTP.

User’s computer, wishing to connect to the wireless network using the 802.1x wireless protocol.

Wireless Access Point, acting as a RADIUS client.

IAS, acting as a RADIUS Server. This is where our product is installed.

AD Server, this is where all the OTP data of the users is stored.

Development tools in useDevelopment tools in use

For the whole development process, from For the whole development process, from start to end, we have used the Visual start to end, we have used the Visual Studio 2005 IDE (Integrated Development Studio 2005 IDE (Integrated Development Environment) by Microsoft.Environment) by Microsoft.

We’re not big fans of debugging, therefore We’re not big fans of debugging, therefore the only debugging tools in use were a the only debugging tools in use were a Debug class written by us which provided Debug class written by us which provided logging of everything, so we could check logging of everything, so we could check up on suspicious behavior.up on suspicious behavior.

TechnologiesTechnologies

The solution consists of pure C++ code, with use The solution consists of pure C++ code, with use of the MFC, ATL, and STL, along with some of the MFC, ATL, and STL, along with some Microsoft specific structures (like VARIANT).Microsoft specific structures (like VARIANT).

We used ADSI (Active Directory Services We used ADSI (Active Directory Services Interface) – an interface that allowed us to Interface) – an interface that allowed us to conduct easy and correct communication with conduct easy and correct communication with the AD.the AD.

We have used the MD5 (Message Digest 5) We have used the MD5 (Message Digest 5) algorithm as part of the OTP generation process.algorithm as part of the OTP generation process.

ImplementationImplementation

As our solution is an extension to the IAS, As our solution is an extension to the IAS, we had to implement it as a DLL (Dynamic we had to implement it as a DLL (Dynamic Linked Library).Linked Library).

That DLL had to implement and export at That DLL had to implement and export at least one mandatory function, which is in least one mandatory function, which is in charge of returning the accept/reject charge of returning the accept/reject decision to the IAS: decision to the IAS:

RadiusExtensionProcess (Radius_attrs, Radius_action)RadiusExtensionProcess (Radius_attrs, Radius_action)

Encountered ProblemsEncountered Problems

The MMC (Microsoft Management Console) The MMC (Microsoft Management Console) doesn’t allow a user to view/edit custom doesn’t allow a user to view/edit custom attributes (such as ours).attributes (such as ours). Solution: we wrote an extension to the MMC that Solution: we wrote an extension to the MMC that

allows us to view and edit our own custom attributes.allows us to view and edit our own custom attributes. Debugging a DLL can be pretty tricky, even Debugging a DLL can be pretty tricky, even

more so when the executing machine isn’t the more so when the executing machine isn’t the one we’re compiling on.one we’re compiling on. Solution: we wrote an internal logging facility for the Solution: we wrote an internal logging facility for the

whole extension, so we could see all the relevant data whole extension, so we could see all the relevant data when an inspection is needed.when an inspection is needed.

Design ReviewDesign Review

The chosen design is pretty much dictated The chosen design is pretty much dictated to us since we’re writing an extension to to us since we’re writing an extension to an already existing product; therefore we an already existing product; therefore we must implement it as a DLL, and have the must implement it as a DLL, and have the correct functions exported.correct functions exported.

The rest of the design conforms to the The rest of the design conforms to the principles of OOP (Object Oriented principles of OOP (Object Oriented Design) and is well divided into logical Design) and is well divided into logical modules, exactly the way it should be.modules, exactly the way it should be.

Code, BrieflyCode, Briefly

Here are the major modules(/classes):Here are the major modules(/classes): Main – this is the main entry point of the dll. It Main – this is the main entry point of the dll. It

interacts with the IAS.interacts with the IAS. MD5 – Implementation of MD5.MD5 – Implementation of MD5. OTP – This module is in charge of computing OTP – This module is in charge of computing

the current OTP (per user).the current OTP (per user). MyADSI – This module is in charge of the MyADSI – This module is in charge of the

communication with the AD.communication with the AD. MyAux – Auxiliary module. Contains some MyAux – Auxiliary module. Contains some

useful functionality, serving everybody.useful functionality, serving everybody. Dbg – Debug class for logging purposes.Dbg – Debug class for logging purposes.

Interaction of CodeInteraction of Code

Main

MD5

OTP MyADSI

MyAux Dbg

The IAS The AD

A B

Means: A uses B.

The MMC Extension CodeThe MMC Extension Code

The MMC Extension is far more trivial code The MMC Extension is far more trivial code wise.wise.

The extension consists of a single MFC based The extension consists of a single MFC based dialog, UserPropPage. In this dialog we have the dialog, UserPropPage. In this dialog we have the three relevant properties (or attributes): PIN, three relevant properties (or attributes): PIN, Seed, Iteration.Seed, Iteration.

All the code in the project is C++ code with MFC All the code in the project is C++ code with MFC in use, which implements the functionality of in use, which implements the functionality of reading the custom attributes from the AD and reading the custom attributes from the AD and writing them back.writing them back.

Installing the MMC ExtensionInstalling the MMC Extension

We have to extend the AD Schema with We have to extend the AD Schema with three new attributes: otpseed, otppin, three new attributes: otpseed, otppin, otpiteration.otpiteration.

Once this is done, the new MMC Once this is done, the new MMC extension DLL must be registered and extension DLL must be registered and added to the user-display Properties, added to the user-display Properties, under AdminPropertyPages.under AdminPropertyPages.

This is all well explained in the supplied This is all well explained in the supplied documents.documents.

The New MMC ExtensionThe New MMC Extension

DemonstrationDemonstration

Relevant CoursesRelevant Courses

Security knowledge:Security knowledge: 236350 Computer Security.236350 Computer Security. 236506 Modern Cryptology.236506 Modern Cryptology.

Implementation and practice:Implementation and practice: 236703 Object Oriented Programming.236703 Object Oriented Programming. 236700 Software Design.236700 Software Design.

Network related:Network related: 236341 Internet Networking.236341 Internet Networking.

Gains from the projectGains from the project

We learned an entire system and the We learned an entire system and the technologies within entirely from scratch: technologies within entirely from scratch: IAS, AD, and more. This benefits us in at IAS, AD, and more. This benefits us in at least two ways:least two ways:We got acquainted with a whole range of new We got acquainted with a whole range of new

technologies and systems that can be useful technologies and systems that can be useful in the future.in the future.

We learned how to cope with an totally new We learned how to cope with an totally new and challenging environment in which we and challenging environment in which we have to work and find our own way.have to work and find our own way.

More gains!More gains!

In this project we have put to practice In this project we have put to practice some of the theoretical knoweldge we had some of the theoretical knoweldge we had before.before.

We learned how to deal with a very We learned how to deal with a very practical and well defined demand for a practical and well defined demand for a working product – this defers greatly from working product – this defers greatly from any demands we faced in normal courses.any demands we faced in normal courses.

We learned much from Zeev and his We learned much from Zeev and his experience experience

SummarySummary

This project was a really beneficial This project was a really beneficial experience that really assured us we are experience that really assured us we are ready to handle anything we may face, no ready to handle anything we may face, no matter how new and challenging it is.matter how new and challenging it is.

At the bottom line, we have a working At the bottom line, we have a working product here, that has a demand in the product here, that has a demand in the market! We may consider trying to sell it, market! We may consider trying to sell it, or continue working in the field.or continue working in the field.

Suggestions for OTP III ?Suggestions for OTP III ?

Some studies show that MD5 has quite a Some studies show that MD5 has quite a few weaknesses, so basing the OTP on a few weaknesses, so basing the OTP on a different hash algorithm may be a smart different hash algorithm may be a smart direction to go in.direction to go in.

Another nice suggestion could be building Another nice suggestion could be building a hardware device for creating the OTPs. a hardware device for creating the OTPs. Perhaps even one that is based on the Perhaps even one that is based on the time of creation, rather then on the number time of creation, rather then on the number of invocations, to create the OTP.of invocations, to create the OTP.