1

SS : Assignment 4

10-607 Ajay Chaurasia 23/10/2013 Sub : System Security

Q1) Write a short note on Kerberos system Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a clientserver model and it provides mutual authentication both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Description 1. The client authenticates itself to the Authentication Server (AS) which forwards the username to a Key Distribution Center (KDC). 2. The KDC issues a Ticket Granting Ticket (TGT), which is time stamped, encrypts it using the user's password and returns the encrypted result to the user's workstation. This is done infrequently, typically at user logon; the TGT remains valid until it expires, though may be transparently renewed by the user's session manager while they are logged in. 3. When the client needs to communicate with another node ("principal" in Kerberos parlance) the client sends the TGT to the Ticket Granting Service (TGS), which usually shares the same host as the KDC. 4. After verifying the TGT is valid and the user is permitted to access the requested service, the TGS issues a Ticket and session keys, which are returned to the client. 5. The client then sends the Ticket to the service server (SS) along with its service request. The protocol is described in detail below.

User Client-based Logon 1. A user enters a username and password on the client machines. Other credential mechanisms like pkinit (RFC4556) allow for the use of public keys in place of a password.

2 2. The client transforms the password into the key of a symmetric cipher. This either uses the built in key scheduling or a one-way hash depending on the cipher-suite used. Client Authentication 1. The client sends a cleartext message of the user ID to the AS requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.) 2. The AS generates the secret key by hashing the password of the user found at the database (e.g. Active Directory in Windows Server). 3. The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client: 4. Message A: Client/TGS Session Key encrypted using the secret key of the client/user. 5. Message B: Ticket-Granting-Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. 6. Once the client receives messages A and B, it attempts to decrypt message A with the secret key generated from the password entered by the user. If the user entered password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A. 7. With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key. This session key is used for further communications with the TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS. Client Service Authorization 1. When requesting services, the client sends the following two messages to the TGS: 2. Message C: Composed of the TGT from message B and the ID of the requested service. 3. Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key. 4. Upon receiving messages C and D, the TGS retrieves message B out of message C. It decrypts message B using the TGS secret key. This gives it the "client/TGS session key". Using this key, the TGS decrypts message D (Authenticator) and sends the following two messages to the client: 5. Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key) encrypted using the service's secret key. 6. Message F: Client/Server Session Key encrypted with the Client/TGS Session Key. Client Service Request 1. Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages: Message E from the previous step (the client-to-server ticket, encrypted using service's secret key). Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key. 2. The SS decrypts the ticket using its own secret key to retrieve the Client/Server Session Key. Using the sessions key, SS decrypts the Authenticator and sends the following message to the client to confirm its true identity and willingness to serve the client: Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server Session Key.

3 3. The client decrypts the confirmation using the Client/Server Session Key and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server. 4. The server provides the requested services to the client. Drawbacks and Limitations 1. Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms. 2. Kerberos has strict time requirements, which means the clocks of the involved hosts must be synchronized within configured limits. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration per MIT requires that clock times are no more than five minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized. 3. The administration protocol is not standardized and differs between server implementations. Password changes are described in RFC 3244. 4. Since all authentication is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user. 5. Each network service which requires a different host name will need its own set of Kerberos keys. This complicates virtual hosting and clusters.

Q2) Explain convert channel Ans:

1) 2) 3) 4) It is a mechanism or a type of attack using which important data can be leaked. A trojan horse routine will be used to send that data to the spy program. Such channel is very difficult to detect. Concept of covert channel is shown below.

Eg : File lock covert channel (storage Covert Channel) In a multiuser environment an OS or DBMS will lock a file so that other users cannot use it at the same time and later it will be unblocked. Now the service program and spy progam will need a common timing source which is broken into intervals. To signal binary bit 1 , the service program will lock the file for the interval and suring that time if spy program is unable to lock that file will assume service program is signalling 1 and similarly for 0 service program will unlock the file. If spy program is able to lock the file, it will assume source program is signalling 0.

Q3) List and explain types of Malicious codes.

Ans:
Definition : Malicious code is code causing damage to a computer or system. It is code not easily or solely controlled through the use of anti-virus tools. Malicious code can either activate itself or be like a virus requiring a user to perform an action, such as clicking on something or opening an email attachment. Types of malicious code Viruses: pieces of code that attach to host programs and propagate when an infected program executes . A Virus is a self-replicating code segment which must be attached to a host executable. When the host is executed, the virus code may also execute. If possible, the virus will replicate by

5 attaching a copy of itself to another executable. The virus may include an additional ``payload'' that triggers when specific conditions are met. Worms: particular to networked computers, carry out pre-programmed attacks to jump across the network. A Worm is a self-replicating program. It is self-contained and does not require a host program. The program creates the copy and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other computer systems. Trojan Horses: hide malicious intent inside a host program that appears to do something useful . A Virus is a self-replicating code segment which must be attached to a host executable. When the host is executed, the virus code may also execute. If possible, the virus will replicate by attaching a copy of itself to another executable. The virus may include an additional ``payload'' that triggers when specific conditions are met. Logic Bomb: It is malicious code in which triggers the action when a shifted condition is satisfied. Rabbit: It is program code which replicates itself. The main aim of writing rabbit is to consume all the resources which are available on target machine. Trapdoor : It is a method of gaining access to some part of a system other than by the normal procedure (e.g. gaining access without having to supply a password). Hackers who successfully penetrate a system may insert trapdoors to allow them entry at a later date, even if the vulnerability that they originally exploited is closed. There have also been instances of system developers leaving debug trapdoors in software, which are then discovered and exploited by hackers. Time bomb : In which triggers the action when a specified time or date has occurred. Zombie: It is used in DDOS. Zombie is an infected machine with the help of which we can target the victim the at the same time.

Q4) List and explain types of non-Malicious codes. Ans: The non malicious codes are never written purposely to harm any machine or network, but due to negligence of developer it happens. Types of non malicious attack

Buffer overflow

Incomplete Mediation

Race Condition

6 1) Buffer Overflow: (i) Buffer is a memory space which is used to show some data and the space is fixed and finite which is declared by the programmer. (ii) For example, In C the statement char test[10]; will use 10 bytes of memory for each character. Now, if we use a statement test[15]=X; it will lead to a condition called Buffer Overflow which means we are trying to use a buffer address which does not exist. (iii) There are four places where a buffer can overflow: Let us assume every byte of test[] consist of letter A A A A A A A Buffer (test) A A A A

(iv)

For(i=0;i<=9;i++) Test[i]=A; In the above figure, in the memory other user program or data, systems code or data may exist which will lead to the following four cases: Case 1: Affecting users data If we write the statement test[10]=B then other users data ,may be affected as shown

below. A A A A A A A A A In the above figure the user data is overwritten. A B

Case 2: Affect users code A A A A A A A A A A B

User data

user pgm code

In the above fig, where B is written if that instruction was executed then there is no change but if that instruction is ready for execution it will give wrong results. Case 3: Affecting system data A A A A A A A A A A B

User data Case 4: Affecting system program code A A A A A A A A A A

system data

User data

sys pgm data

7 2) Incomplete Mediation: (i) This problem occurs in the web application where the web developers has written a program in such a way that the fields of web form are only verified at the client side but it is not verified at the server side when the data is submitted through url. (ii) Eg:- Consider a website online_products.com on which customer is trying to buy product 250 which is at the price 200 and now the customer wants 10 such product and the shipping charges are Rs. 50. This complete information will be sent to the web server using the url which is shown below: http://www.online_products.com/order/final and customer id =101 and product no=250 and qty=200 and shipping charges=50 and total=2050. This above url calculation was only done at web client. Now the attacker will manipulate the url in such a way that the total will charge from 2050 t0 205. http://www.online_products.com/order/final and customer id =101 and product no=250 and qty=200 and shipping charges=50 and total=205. (iii) Nowadays, there are tools which are available to find such problems on the server side. 3) Race condition: (i) The term race condition refers to a race which occurs between the attacker and next stage of the process. (ii) To win the race the timing of the attacker is very important. (iii) Eg: In UNIX, mkdir command is used to make a directory on the memory but for creating a directory for the user there is a authorization stage which means only authorized users will be allowed to create the directory and take the ownership. (iv) If the attacker wants to take the ownership of the directory on the system, system can make a change after authorization stage but before the transfer of ownership. (v) How mkdir operates normally? mkdir 1. Allocate space 2. Take ownership

(vi)

How the attacker will attack mkdir attack? mkdir 1. Allocate space 3. Take ownership

2. Link Password