Whats Wrong with PIC - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Whats Wrong with PIC

Description:

Server-only authentication within the tunnel ... The flaw is inherent in the 'long term usage' scenario 'Enrollment protocol' used long term ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 11
Provided by: bern169
Category:
Tags: pic | usage | whats | wrong

less

Transcript and Presenter's Notes

Title: Whats Wrong with PIC


1
Whats Wrong with PIC
  • Bernard Aboba
  • Microsoft
  • bernarda_at_microsoft.com

2
It Seemed Like Such a Good Idea
  • Legacy authentication methods are currently
    popular in network access
  • CHAP, EAP-MD5
  • One-Time-Password (OTP)
  • Generic Token Card
  • SecurID
  • Certificate-based authentication is supported
    within IKE
  • What if
  • Legacy authentication methods could be used to
    enable certificate enrollment?
  • Replacement of legacy (AAA) infrastructure were
    not required in order to deploy PKI?
  • Support for legacy authentication could be
    achieved without changes to IKE?
  • Wouldnt life be WONDERFUL??

3
All We Need Is an Enrollment Protocol
  • A protocol which can transform legacy weak
    credentials into strong credentials!
  • Use legacy authentication mechanism to
    authenticate client to the server
  • Server provides client with a certificate
  • Client can then use certificate authentication
    within IKE
  • Everyone wins
  • We dont have to modify IKE
  • Customers can deploy certificates, while
    continuing to leverage legacy authentication
    infrastructure.

4
Deployment Scenarios
  • Short-term transition
  • VPN customer desires quick transition to
    certificate infrastructure
  • Enables legacy authentication enrollment
    protocol for a short period
  • Users obtain long-term certificates
  • Certificates used for authentication within IKE
  • Legacy authentication disabled
  • Long-term usage
  • Customer desires benefits of certificate
    infrastructure without the pain
  • Legacy authentication enabled with and without
    enrollment protocol for a considerable period
    (months, years)
  • Enrollment protocol used to provide short-term
    certificates (e.g. days)
  • Short-term certificates used for authentication
    within IKE

5
So Many Candidates
  • XAUTH
  • Enabled tunneling of legacy methods within IKE
  • Typically run after group pre-shared key
    authentication
  • Required modifications to IKE
  • GETCERT
  • Enabled tunneling of legacy methods within TLS
    w/server auth
  • Certificate obtained as a result of
    authentication
  • No modifications to IKE required
  • PIC
  • Enabled tunneling of legacy methods within ISAKMP
    w/server auth
  • Certificate obtained as a result of
    authentication
  • No modifications to IKE required

6
All With the Same Flaw!
  • Man-in-the-middle attack
  • Vulnerable protocols PIC, XAUTH, GETCERT, PANA
    over TLS, EAP TTLS, PEAP, HTTP digest over TLS
  • Problems
  • Server-only authentication within the tunnel
  • No binding of tunnels to auth methods inside
    them
  • Credential reuse
  • Use of legacy methods inside and outside the
    tunnel

7
How It Works
  • Attacker connects to enrollment server
  • Enrollment server authenticates to attacker
  • Attacker does not authenticate to enrollment
    server
  • Attacker obtains tunnel keys
  • Attacker masquerades as an access server
  • Could be PPP, 802.1X, PPTP, even SIP server
  • Assumption is that credentials are reused on
    multiple media
  • Assumption is that legacy method is used within
    and outside of enrollment protocol
  • Client authenticates to attacker
  • Attacker tunnels authentication to enrollment
    server
  • Result attacker authenticates successfully,
    obtains clients certificate, access to the
    network

8
Can It Be Fixed?
  • Sure
  • For auth methods deriving keys
  • Compound MACs can be exchanged
  • Compound keys can be derived
  • For auth methods not deriving keys
  • Most of what we were attempting to address CHAP,
    EAP-MD5, OTP, GTC, SECURID
  • Just change the method to incorporate tunnel
    keys..
  • Just change the method to derive keys
  • Not really.
  • Thats why they call it Legacy!

9
You Cant Get There From Here!
  • The flaw is inherent in the long term usage
    scenario
  • Enrollment protocol used long term
  • Creates lots of time to carry out attack
  • Legacy auth methods used inside and outside of
    enrollment protocol
  • Creates pool of potential client victims
  • Server-only authentication within the tunnel
  • Enables an attacker to set up a tunnel without
    authenticating itself
  • Reliance on AAA infrastructure serving many uses
  • Institutionalizes credential reuse
  • Reliance on legacy authentication methods
  • Methods without mutual auth or key derivation
  • Creates vulnerability to connection hijacking
  • Some vulnerable to dictionary attack

10
Lessons Learned
  • Legacy authentication methods do not provide a
    good foundation for anything other than a short
    transition
  • Proliferation of CHAP as an authentication method
    in IETF protocols is not a good idea
  • Authentication tunneling is not a miracle cure
Write a Comment
User Comments (0)
About PowerShow.com