Towards Secure and Dependable Authentication and Authorization Infrastructures
-
Upload
diego-kreutz -
Category
Technology
-
view
101 -
download
0
Transcript of Towards Secure and Dependable Authentication and Authorization Infrastructures
![Page 1: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/1.jpg)
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz, Alysson Bessani, Eduardo Feitosa, Hugo Cunha
PRDC2014, Singapore
![Page 2: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/2.jpg)
Cyber threats: state of affairs
2
NSA Director Rogers Urges Cyber-Resiliency Threat Post, Washington, D.C. (United States) Presidential Proclamation: Critical Infrastructure Security and Resilience Month, 2014 The White House, Washington, D.C. (United States) Biggest ever cyber security exercise in Europe today European Commission - PRESS RELEASES, October 30, 2014 Survey: Cyber security priorities shift to insider threats FEDERALTIMES US
![Page 3: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/3.jpg)
Authentication & Authorization Infra (AAI)
A typical Authentication & Authorization architecture in an enterprise network
3
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
A user requesting
network access
AAIs are of the most critical pillars of
current IT systems!
![Page 4: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/4.jpg)
Authentication & Authorization Infra (AAI)
A typical Authentication & Authorization architecture in an enterprise network
4
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
Credential theft
![Page 5: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/5.jpg)
Authentication & Authorization Infra (AAI)
A typical Authentication & Authorization architecture in an enterprise network
5
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
Access deny/grant
![Page 6: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/6.jpg)
Authentication & Authorization Infra (AAI)
A typical Authentication & Authorization architecture in an enterprise network
6
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
Access deny/grant
![Page 7: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/7.jpg)
Authentication & Authorization Infra (AAI)
A typical Authentication & Authorization architecture in an enterprise network
7
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
Permissions & credentials
![Page 8: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/8.jpg)
Authentication & Authorization Infra (AAI)
A typical Authentication & Authorization architecture in an enterprise network
8
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
What if end-to-end EAP-TLS?
EAP-TLS
Backend Service
Client
![Page 9: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/9.jpg)
Authentication & Authorization Infra (AAI)
A typical Authentication & Authorization architecture in an enterprise network
9
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
EAP-TLS by itself is still not
enough!
EAP-TLS
Backend Service
Client
![Page 10: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/10.jpg)
AAI Federations & Threats
A typical AAI Federation among enterprise networks (mobility, …)
10
.PT .SG Federation top-level RADIUS servers
Confederation top-level RADIUS sever
Institutional level RADIUS servers
Network infrastructure, systems and services
U1 U2 U3 U4
![Page 11: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/11.jpg)
AAI Federations & Threats
A typical AAI Federation among enterprise networks (mobility, …)
11
.PT .SG Federation top-level RADIUS servers
Confederation top-level RADIUS sever
Institutional level RADIUS servers
Network infrastructure, systems and services
U1 U2 U3 U4
![Page 12: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/12.jpg)
Outline
Our Solution
Goals & Challenges
Intrusion-Tolerant AAIs
Conclusion
Evaluation
![Page 13: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/13.jpg)
13
Mapping the current state of affairs of AAIs
![Page 14: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/14.jpg)
14
Current State of Affairs of AAIs
Dependability
Secu
rity & Trust
C1
C2
C3 C4
C6
C5
Exiting systems are of categories C1, C2 and C43
Our goal is to design systems of categories C4-C6
![Page 15: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/15.jpg)
15
What can we do about it?
Approach 1: try to fix everything!?
![Page 16: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/16.jpg)
16
What can we do about it?
Approach 2: increase the system’s security and
dependability
Hybrid system architectures, specialized components, clouds, …
![Page 17: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/17.jpg)
Goals
17
Develop new hybrid system architectures for AAIs.
Design & Provide mechanisms for building fault- and
intrusion-tolerant AAIs
![Page 18: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/18.jpg)
Challenges
18
Arbitrary fault tolerance in AAI systems
Ensure confidentiality of sensitive data
Keep backward compatibility
![Page 19: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/19.jpg)
Outline
Our Solution
Goals & Challenges
Intrusion-Tolerant AAIs
Conclusion
Evaluation
![Page 20: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/20.jpg)
20
Traditional RADIUS architecture
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
Shared secret
Shared secret (confidentiality,
integrity)
![Page 21: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/21.jpg)
21
Traditional RADIUS architecture
802.1X RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
Shared secret
How to avoid single points of
failure?
![Page 22: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/22.jpg)
22
Building a resilient architecture
802.1X
RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
Shared secret
‘Multi-path’ by simple
replication
![Page 23: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/23.jpg)
23
Building a resilient architecture
802.1X
RADIUS LDAP, SQL
NAS (e.g., WiFi router)
Authentication Server
Backend Service
Client
Shared secret
How to tolerate arbitrary faults?
![Page 24: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/24.jpg)
24
Building a resilient architecture
802.1X
RADIUS
NAS (e.g., WiFi router)
Authentication Gateway
Client Authentication Server & Back-end
Backward compatibility &
SMR integration
BFT-SMR
![Page 25: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/25.jpg)
25
Building a resilient architecture
802.1X
RADIUS
NAS (e.g., WiFi router)
Authentication Gateway
Client
Shared secret
Authentication Server & Back-end
How to ensure the confidentiality of shared secrets?
![Page 26: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/26.jpg)
26
Building a resilient architecture
802.1X
RADIUS
NAS (e.g., WiFi router)
Authentication Gateway
Client
Shared secret
Authentication Server & Back-end
Solution = secure elements on the RADIUS replicas
![Page 27: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/27.jpg)
27
Building a resilient architecture
802.1X
RADIUS
NAS (e.g., WiFi router)
Authentication Gateway
Client
Shared secret
Authentication Server & Back-end
EAP-TLS with BFT-SMR? How
can it work?
EAP-TLS
![Page 28: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/28.jpg)
28
Building a resilient architecture
802.1X
RADIUS
NAS (e.g., WiFi router)
Authentication Gateway
Client
Shared secret
Authentication Server & Back-end
EAP-TLS
EAP-TLS handshake with an adapted PRF
![Page 29: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/29.jpg)
29
Building a resilient architecture
802.1X
RADIUS
NAS (e.g., WiFi router)
Authentication Gateway
Client
Shared secret
Authentication Server & Back-end
EAP-TLS
Let’s simplify by removing the
back-ends
![Page 30: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/30.jpg)
30
Sensitive Data & Secure Component (SC)
USER Table!!
<ID1> <…, Perm>MAC!<ID2> <…, Perm>MAC!<ID3> <…, Perm>MAC!<ID4> <…, Perm>MAC!
…!<IDn> <…, Perm>MAC!
TLS$
EAP$
RADIUS$
BFT.SMaRT$
Authentication Service Replica!
OpenID$
HTTP/HTTPS$
Secure$Component$
PuCA$
KNAS$ PrS$
KUser$ ID$
KAssoc$
$$
![Page 31: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/31.jpg)
31
Sensitive Data & Secure Component (SC)
USER Table!!
<ID1> <…, Perm>MAC!<ID2> <…, Perm>MAC!<ID3> <…, Perm>MAC!<ID4> <…, Perm>MAC!
…!<IDn> <…, Perm>MAC!
TLS$
EAP$
RADIUS$
BFT.SMaRT$
Authentication Service Replica!
OpenID$
HTTP/HTTPS$
DATA Table (NAS | Association)!!
<NAS1 | Handler1> <…, EK1>!<NAS2 | Handler2> <…, EK2>!<NAS3 | Handler3> <…, EK3>!<NAS4 | Handler4> <…, EK4>!
…!<NASn | Handlern> <…, EKn>!
Secure$Component$
PuCA$
KNAS$ PrS$
KUser$ ID$
KAssoc$
![Page 32: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/32.jpg)
32
Sensitive Data & Secure Component (SC)
USER Table!!
<ID1> <…, Perm>MAC!<ID2> <…, Perm>MAC!<ID3> <…, Perm>MAC!<ID4> <…, Perm>MAC!
…!<IDn> <…, Perm>MAC!
TLS$
EAP$
RADIUS$
BFT.SMaRT$
Authentication Service Replica!
OpenID$
HTTP/HTTPS$
DATA Table (NAS | Association)!!
<NAS1 | Handler1> <…, EK1>!<NAS2 | Handler2> <…, EK2>!<NAS3 | Handler3> <…, EK3>!<NAS4 | Handler4> <…, EK4>!
…!<NASn | Handlern> <…, EKn>!
Secure$Component$
PuCA$
KNAS$ PrS$
KUser$ ID$
KAssoc$
![Page 33: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/33.jpg)
33
Sensitive Data & Secure Component (SC)
USER Table!!
<ID1> <…, Perm>MAC!<ID2> <…, Perm>MAC!<ID3> <…, Perm>MAC!<ID4> <…, Perm>MAC!
…!<IDn> <…, Perm>MAC!
DATA Table (NAS | Association)!!
<NAS1 | Handler1> <…, EK1>!<NAS2 | Handler2> <…, EK2>!<NAS3 | Handler3> <…, EK3>!<NAS4 | Handler4> <…, EK4>!
…!<NASn | Handlern> <…, EKn>!
TLS$
EAP$
RADIUS$
SC methods:!!
1. HMAC!2. DecryptRSA!3. SymmCipher!4. Confidential!5. SignRSA!6. GenAssociation 7. GenNonce
BFT.SMaRT$
Authentication Service Replica!
OpenID$
HTTP/HTTPS$
Secure$Component$
PuCA$
KNAS$ PrS$
KUser$ ID$
KAssoc$
![Page 34: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/34.jpg)
34
Sensitive Data & Secure Component (SC)
Method Protocol Input Output DecryptRSA TLS Packet to be
verified. Status of the signature verification.
SignRSA TLS Data to sign. RSA signature using the key PrS .
SymmCipher TLS/RADIUS Protocol id and data.
Ciphered output of the input data.
Confidential TLS/RADIUS The packet data. A confidential share of the data.
HMAC RADIUS data + encrypted shared key.
HMACMD5 of the input data.
GenAssoc OpenID Public key and two big integers.
Association info + server’s public key.
GenNonce OpenID Two big integers. Pseudo random nonce.
![Page 35: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/35.jpg)
35
Sensitive Data & Secure Component (SC)
Method Protocol Input Output DecryptRSA TLS Packet to be
verified. Status of the signature verification.
SignRSA TLS Data to sign. RSA signature using the key PrS .
SymmCipher TLS/RADIUS Protocol id and data.
Ciphered output of the input data.
Confidential TLS/RADIUS The packet data. A confidential share of the data.
HMAC RADIUS data + encrypted shared key.
HMACMD5 of the input data.
GenAssoc OpenID Public key and two big integers.
Association info + server’s public key.
GenNonce OpenID Two big integers. Pseudo random nonce.
![Page 36: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/36.jpg)
36
How to implement a secure component?
A secure component can be “any” device capable of ensuring the !data and operation confidentiality of the target system/environment.!
Smart Cards! Intel SGX! Tamper Resistant a FPGA!
A Highly Secured (shielded) Computer!
Virtual TPM!(e.g. vTPM)!
Secure Hypervisor (e.g. sHyper)!
![Page 37: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/37.jpg)
Generic resilient architecture for AAIS
37
Protocol 2
Service / Application / Device (fS + 1)
Gateway (AAI front-end)
(fG + 1)
Client AAI Replicas (mfR + 1)
AA
I SC
s (m
f R +
1)
![Page 38: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/38.jpg)
Generic resilient architecture for AAIS
38
Protocol 2
Service / Application / Device (fS + 1)
Gateway (AAI front-end)
(fG + 1)
Client AAI Replicas (mfR + 1)
AA
I SC
s (m
f R +
1)
Protocol-specific connection
between elements
![Page 39: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/39.jpg)
Generic resilient architecture for AAIS
39
Protocol 2
Service / Application / Device (fS + 1)
Gateway (AAI front-end)
(fG + 1)
Client
Shared secret
AAI Replicas (mfR + 1)
AA
I SC
s (m
f R +
1)
Protocol-specific shared secrets
![Page 40: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/40.jpg)
Generic resilient architecture for AAIS Trusted Third Party (TTP)
40
Protocol 2
Service / Application / Device (fS + 1)
Gateway (AAI front-end)
(fG + 1)
Shared secret
AAI Replicas (mfR + 1)
EAP-TLS
AA
I SC
s (m
f R +
1)
Client
![Page 41: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/41.jpg)
Outline
Our Solution
Goals & Challenges
Intrusion-Tolerant AAIs
Conclusion
Evaluation
![Page 42: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/42.jpg)
Resilient RADIUS architecture
42
801.1X/ EAP-TLS
Network Access Server (NAS)
(fS + 1)
RADIUS Gateway (fG + 1)
Symmetric shared secret
Resilient RADIUS (3fR + 1)
Supplicant
RADIUS/ EAP-TLS
SMR/ RADIUS/ EAP-TLS
![Page 43: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/43.jpg)
Resilient RADIUS communications
43
NAS RADIUS Gateway
RADIUS Replicas
Supplicant Trusted Components
BFT Agreement
801.1X RADIUS BFT-SMR EAP-TLS
BFT Agreement
801.1X RADIUS BFT-SMR EAP-TLS
![Page 44: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/44.jpg)
Resilient OpenID architecture
44
Service Provider (Relying Party)
(fS + 1)
Resilient OpenID (3fR + 1)
SMR/ HTTP/HTTPS/
OpenID 2.0 HTTP/HTTPS OpenID 2.0
steps 4 and 5
Resilient OpenID Identity Provider
OpenID Gateway (fG + 1)
Client/Web Browser
![Page 45: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/45.jpg)
45
Resilient OpenID communications
1. Service Request
2. Identification Request
3. Identification URL 4. Discovery (YADIS)
5. XRDS Response
6. Association Request (RP DH public-key)
9. Association Response (IdP DH public-key)
Association Established
10. Authentication Request
11. Credentials Request / Browser Redirection
12. Credentials
15. Authentication Response 16. Authentication
Response
Client/Browser Relying Party OpenID Gateway OpenID Replicas Trusted Components
7. Request (Association Handle + MAC Key + DH
keypair)
8. Response
13. Credentials + Nonce Random Number request
14. Authentication Assertion + Number
![Page 46: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/46.jpg)
Outline
Our Solution
Goals & Challenges
Intrusion-Tolerant AAIs
Conclusion
Evaluation
![Page 47: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/47.jpg)
47
Resilient RADIUS vs FreeRADIUS Environment / Configuration
Resilient RADIUS
7 machines
FreeRADIUS 3 machines
CPU MEM Net
2x4 32G Giga
Supplicant! Network Access Server (NAS)!
(fN + 1) with fN = 0!!
RADIUS !Servers!
(fG + 1) with fG = 1!
Symmetric shared secret!
Supplicant!
Replicated RADIUS (3fR + 1) with fR = 1!
Network Access Server (NAS)!
(fN + 1) with fN = 0!!
RADIUS !Gateway !
(fG + 1) with fG = 1!
Symmetric shared secret!
![Page 48: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/48.jpg)
48
Resilient RADIUS vs FreeRADIUS
Latency
![Page 49: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/49.jpg)
49
Resilient RADIUS vs FreeRADIUS
Throughput
![Page 50: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/50.jpg)
50
Resilient RADIUS vs FreeRADIUS
Fail-stop (crash) and Byzantine faults
Attack FreeRADIUS RADIUS Rep RADIUS Gw
Fail-stop 9s delay No delay 9s delay
Byzantine Max delay of 9s No delay Up to 9s delay
Note: using the default configuration of the RADIUS protocol, i.e., 3s between each retry.
![Page 51: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/51.jpg)
51
Resilient OpenID
Average Latency: 78.360ms!
Average Latency: 87.343ms!
Average Latency: 32.103ms!
Environment vCPU ECUs MEM Network Quinta-VMsR 3 --- 4GB Gigabit Ethernet Quinta-VMsG 6 --- 8GB Gigabit Ethernet Quinta-Phy 16 --- 32GB Gigabit Ethernet Amazon-DCs 2 6.5 7.5GB Public WAN
![Page 52: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/52.jpg)
52
Resilient OpenID
Near linear gain
0
1000
2000
3000
4000
5000
6000
10 20 40 80 100 200
Quinta-VMs Quinta-PHY Amazon-DCs
![Page 53: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/53.jpg)
53
Resilient OpenID (faults & attacks)
400
600
800
1000
1200
1400
1600
10 20 40 80 100
Number of authentications/s
Number of OpenID clients
ROpenID throughput under chash faults and attacks
FF-Exec
1s-Crash
2s-Crash
4s-Crash
8s-Crash
16s-Crash
TCP-ACK-A
TCP-SYN-A
![Page 54: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/54.jpg)
Outline
Our Solution
Goals & Challenges
Intrusion-Tolerant AAIs
Conclusion
Evaluation
![Page 55: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/55.jpg)
55
A hybrid architecture for intrusion-tolerant AAIs
![Page 56: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/56.jpg)
56
A hybrid architecture for intrusion-tolerant AAIs
A secure component for ensuring the confidentiality
![Page 57: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/57.jpg)
57
A hybrid architecture for intrusion-tolerant AAIs
A secure component for ensuring the confidentiality
Backward compatibility for both RADIUS & OpenID
![Page 58: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/58.jpg)
58
A hybrid architecture for intrusion-tolerant AAIs
A secure component for ensuring the confidentiality
Backward compatibility for both RADIUS & OpenID
Performance assessment and evaluation under fault & attacks
![Page 59: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/59.jpg)
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz, Alysson Bessani, Eduardo Feitosa, Hugo Cunha
PRDC2014, Singapore
![Page 60: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/60.jpg)
Cyber Crimes/Attacks!
Software Bugs & Vulnerabilities
Logical Failures
60
Bugs, failures, threats, attacks, …
![Page 61: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/61.jpg)
Cyber threats: state of affairs
61
NSA Director Rogers Urges Cyber-Resiliency Threat Post, Washington, D.C. (United States)
Guide to Cyber Threat Information Sharing (Draft) National Institute of Standards and Technology (NIST)
Presidential Proclamation: Critical Infrastructure Security and Resilience Month, 2014 The White House, Washington, D.C. (United States)
Biggest ever cyber security exercise in Europe today European Commission - PRESS RELEASES, October 30, 2014
Emerging Cyber Threats Report 2015 Georgia Institute of Technology
One million cyber attacks a day on Deutsche Telekom network EU News & policy debates, across languages
Survey: Cybersecurity priorities shift to insider threats FEDERALTIMES US
![Page 62: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/62.jpg)
Authentication & Authorization Infra (AAI)
62 Client / Web Browser!
Service Provider (SP) Relying Party (RP)!
OpenID Server!
steps 4 and 5!
OpenID! Backends!
SQL$
LDAP$Supplicant!
AAA! Backends!
SQL$
LDAP$
Network Access Server (NAS)!
AAA/RADIUS!Server!
Symmetric shared secret!
802.1X! RADIUS!
AAA$
Traditional OpenID Architecture
Traditional RADIUS Architecture
Typical Authentication & Authorization Infrastructure Architecture
Client!
Auth! Backends!
SQL$
LDAP$Service! Authentication!Service!
Protocol 1! Protocol 2!
Protocol 3!Protocol 2!
![Page 63: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/63.jpg)
State Machine Replication (SMR) with BFT-SMaRt
63
Main building blocks (SMR)
AAI#Gateway#
PROPOSE# WEAK#R0#(leader)#
R1#
R2#
R3#
STRONG#
REQUEST# REPLY#
AAI#Replicas#
![Page 64: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/64.jpg)
64
Vulnerabilities and Threats in AAIs
Vulnerability/Supported features RADIUS OpenID Tolerates crash faults (e.g., back-end clusters) YES YES Tolerates arbitrary faults NO NO Tolerates infrastructure outages NO NO Tolerates DDoS attacks NO NO Risk of common vulnerabilities HIGH HIGH Risk of sensitive data leakage HIGH HIGH Protocol security-related vulnerabilities YES YES Susceptibility to resource depletion attacks YES YES
![Page 65: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/65.jpg)
65
Resilient OpenID
# of clients Quinta-VMs Quinta-PHY Amazon-DCs 10 501 1489 62 20 769 2540 111 40 986 3487 210 80 1077 4719 401
100 1136 5011 489 200 1424 5290 704
Number of authentications/s
Near linear gain. Saturation points.
![Page 66: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/66.jpg)
Wait! What about resource depletion
attacks?
In virtualized environments, how malicious VMs can
affect the execution of non-malicious VMs?
![Page 67: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/67.jpg)
67
Resource Depletion Attacks
![Page 68: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/68.jpg)
68
Resource Depletion Attacks
![Page 69: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/69.jpg)
69
Resource Depletion Attacks
200
400
600
800
1000
1200
1400
1600
10 20 40 80 100
Number of authentications/s
Number of OpenID clients
ROpenID throughput under CPU depletion attacks
FF-Exec
3vCPUs-Attack
6vCPUs-Attack
12vCPUs-Attack
![Page 70: Towards Secure and Dependable Authentication and Authorization Infrastructures](https://reader030.fdocuments.us/reader030/viewer/2022032421/55a6af281a28ab6b5c8b45a8/html5/thumbnails/70.jpg)
70
Resource Depletion Attacks
200
400
600
800
1000
1200
1400
1600
10 20 40 80 100
Number of authentications/s
Number of OpenID clients
ROpenID throughput under attacks
QuintaVMs
TCP-ACK-A
TCP-SYN-A
TCP-SYN-ACK-A
TCP-SSH-A