03 - slides

8/8/2019 03 - Slides

http://slidepdf.com/reader/full/03-slides 1/31

8/8/2019 03 - Slides


8/8/2019 03 - Slides


Tro u bleshootingTro u bleshooting

Hu manware Hu manwareWindows empowers the user, lessWindows empowers the user, lessrestrictive environment restrictive environment Easy for the unwary user to executeEasy for the unwary user to executeunwanted code (email virus)unwanted code (email virus)Convenience vs. Security (automaticConvenience vs. Security (automaticparsing of HTML email, etc.)parsing of HTML email, etc.)Uneducated user = highly vulnerableUneducated user = highly vulnerable

8/8/2019 03 - Slides


The Password ParadigmThe Password Paradigm

Completely and utterly depends onCompletely and utterly depends onsecrecy and strength of passwordsecrecy and strength of passwordMany ways to fool uneducated userMany ways to fool uneducated userinto giving away passwordinto giving away password(impersonating administrators, etc.)(impersonating administrators, etc.)Reused password = less secureReused password = less secure

8/8/2019 03 - Slides


Windows ProtocolsWindows Protocols

Hard to find current specificationsHard to find current specificationsHard to tell off Hard to tell off- -hand why somehand why someservices are running, others aren t services are running, others aren t Many are activated for unclear reasonsMany are activated for unclear reasons(e.g. SQL server)(e.g. SQL server)To understand requires a competenceTo understand requires a competencewhich most endwhich most end- -users lackusers lack

8/8/2019 03 - Slides


Where did all the specsWhere did all the specs

go? Long time passinggo? Long time passingThere seem to be no formal specs for CIFSThere seem to be no formal specs for CIFS(protocol for Windows file(protocol for Windows file- -sharing)sharing)

Without a current and authoritative protocol Without a current and authoritative protocolspecification, there is no external referencespecification, there is no external referenceagainst which to measure the correctness of anagainst which to measure the correctness of animplementation, and no way to hold anyoneimplementation, and no way to hold anyoneaccountable. Since Microsoft is the market leaderaccountable. Since Microsoft is the market leader

[ ] the behavior of their clients and servers is[ ] the behavior of their clients and servers isthe standard against which all otherthe standard against which all otherimplementations are measured.implementations are measured.Christopher Hertel,Christopher Hertel, http://www.ubiqx.org/cifs/SMB.htmlhttp://www.ubiqx.org/cifs/SMB.html

8/8/2019 03 - Slides


Chosen Area: Point toChosen Area: Point to

Point A u thenticationPoint A u thenticationWindows supports:Windows supports: Password Authentication ProtocolPassword Authentication Protocol CHAP: ChallengeCHAP: Challenge--Handshake Authentication ProtocolHandshake Authentication Protocol MSCHAP: MS extensions to CHAPMSCHAP: MS extensions to CHAP MSCHAP2: Fixes to MSCHAPMSCHAP2: Fixes to MSCHAP O thers (EAP, PEAP )O thers (EAP, PEAP )PAP: passwords transmitted in plaintext PAP: passwords transmitted in plaintext

Acceptable before when networks were very small Acceptable before when networks were very small(MS)CHAP s major improvement: passwords no(MS)CHAP s major improvement: passwords nolonger transmitted in plain text!longer transmitted in plain text!Sounds goodSounds good

8/8/2019 03 - Slides


Bu tBu tCHAP does not specify whichCHAP does not specify which

encryption algorithm to use.encryption algorithm to use.MSCHAP on the other hand, does.MSCHAP on the other hand, does.

8/8/2019 03 - Slides


CHAP ProtocolCHAP Protocol

8/8/2019 03 - Slides


Events & Backgro u ndEvents & Backgro u nd

August 1996 August 1996 RFC 1334: CHAPRFC 1334: CHAPO ct 1998O ct 1998 RFC 2433: MSCHAP1RFC 2433: MSCHAP1Jan 2000Jan 2000 RFC 2759: MSCHAP2RFC 2759: MSCHAP2Nov 2001Nov 2001 1.4 Update to Win98 Dial1.4 Update to Win98 Dial- -UpUp--Networking, implementsNetworking, implements

MSCHAP2MSCHAP2O ct 2003: PEAP Internet Draft O ct 2003: PEAP Internet Draft Protected Extensible Authentication Protocol. CombinesProtected Extensible Authentication Protocol. Combines

TLS and MSCHAP2.TLS and MSCHAP2.

8/8/2019 03 - Slides


Cryptanalysis of M icrosoft s Point to Cryptanalysis of Microsoft s Point to Point Tu nn e ling Protocol Point Tu nn e ling Protocol (PP T P)(PP T P)Sc h n e i e r & Mud g e (98)Sc h n e i e r & Mud g e (98)

For Virtual Private Network, connection over TCP/IPFor Virtual Private Network, connection over TCP/IPlinklinkMicrosoft s implementation breaks down:Microsoft s implementation breaks down: Authentication level = MS Authentication level = MS- -CHAPCHAP Encryption = RC4Encryption = RC4

Point to Point Tunneling Protocol: data channelPoint to Point Tunneling Protocol: data channelencapsulated in PPP packets;encapsulated in PPP packets; no protocol specification for securityno protocol specification for securityMSMS--PPTP: server under WinNTPPTP: server under WinNT auth. options: clear password, or hashed, or challengeauth. options: clear password, or hashed, or challenge- -

responseresponse

8/8/2019 03 - Slides


MSMS--PP TP Cryptanalysis Part 2PP TP Cryptanalysis Part 2

LanMan HashLanMan HashWindows NT hash functions:Windows NT hash functions: LanManager hash based on DES; Win NT hash based onLanManager hash based on DES; Win NT hash based on

MD4MD4

LM s hash is homeLM s hash is home--made and weak:made and weak: truncates password to 14truncates password to 14--char string;char string; converts lowercase to uppercase;converts lowercase to uppercase; splits 14splits 14--byte in two 7byte in two 7- -byte halves, giving two DES keysbyte halves, giving two DES keys

with keys, encr. magic "KGS!@#$%"with keys, encr. magic "KGS!@#$%" - -> 2 8> 2 8- -byte stringsbyte strings concatenate those string : 16concatenate those string : 16- -byte hash valuebyte hash valueWinNT hash: 16WinNT hash: 16- -byte hash with MD4, no salt eitherbyte hash with MD4, no salt either

8/8/2019 03 - Slides


MSMS--PP TP Cryptanalysis Part 3PP TP Cryptanalysis Part 3

MSMS--CHAP ChallengeCHAP ChallengeMSMS--CHAP ChallengeCHAP Challenge--Response step:Response step:

Authenticator Authenticator ChallengeChallenge: :

88--byte random valuebyte random value Client side: for both LM and NT hash functionClient side: for both LM and NT hash function1.1. computes 16computes 16- -byte hash valuebyte hash value2.2. ZeroZero--Pad to get to 21Pad to get to 21- -byte valuebyte value - -> 3 7> 3 7- -byte DESbyte DES

keyskeys

3.3. encrypt challenge with each DES keyencrypt challenge with each DES key4.4. concatenate those 3 8concatenate those 3 8- -byte valuesbyte values - -> 24> 24--bytebyteresponseresponse

Client Client ResponseResponse: :send back both values, with a flagsend back both values, with a flag

8/8/2019 03 - Slides


8/8/2019 03 - Slides


MSMS--PP TP cryptanalysis Part 5PP TP cryptanalysis Part 5

Attack on MS Attack on MS- -CHAPCHAPCryptanalysis of MSCryptanalysis of MS- -CHAP:CHAP:

Dictionary attack [L O pht proved it is efficient]Dictionary attack [L O pht proved it is efficient] O ffline: preO ffline: pre--computed DES encryption of eachcomputed DES encryption of each

likely values of P0 P6 and P7 P13likely values of P0 P6 and P7 P13 Given RGiven R 00 RR 77 RR88 RR 1515 RR1616 RR 2323 seen on link:seen on link:

1.1. Retrieve K Retrieve K 1414 and K and K 1515 : average 2: average 2 1515 DES ops.DES ops.2.2. for Nfor N 22 likely values of Plikely values of P 77 PP 1313 : (DES encr. known): (DES encr. known)

K K 1414 and K and K 1515 retrieved : Nretrieved : N 22 /2 /2 1616 DES trials maxDES trials max

3.3. for Nfor N 11 likely values of Plikely values of P 00 PP 66::K K 77 retrieved : Nretrieved : N 11 /2 /2 88 DES trials maxDES trials max

Cryptanalysis of MSCryptanalysis of MS- -PPE: secret key alsoPPE: secret key alsobased on passwordbased on password

8/8/2019 03 - Slides


The LO pht Crack on theThe LO pht Crack on the

LanMan Password HashLanMan Password HashCreator: Mudge, Schneier s coCreator: Mudge, Schneier s co- -author of the articleauthor of the article

April 97, April 97, Electronic Engineering TimesElectronic Engineering Times: :Explanation of Mudge s motivations; Nash, MS director of Explanation of Mudge s motivations; Nash, MS director of marketing for Windows NT Server , answers back.marketing for Windows NT Server , answers back. Mudge would like to have MS policy on security changed;Mudge would like to have MS policy on security changed; Nash claims enough internal betaNash claims enough internal beta- -testingtestingJuly 98,July 98, Windows & .NET magazineWindows & .NET magazine: :

NT Server Security Checklist excerpts NT Server Security Checklist excerpts Enforce strong password policyEnforce strong password policy Use password crackers:Use password crackers:

The latest version of L0phtCrack is Microsoft's worst nightmare and The latest version of L0phtCrack is Microsoft's worst nightmare andevery NT administrator's new best friend.every NT administrator's new best friend.

8/8/2019 03 - Slides


Mu rMu r NN Modeling of CHAPModeling of CHAP

(R FC 1 99 4 )(R FC 1 99 4 )

8/8/2019 03 - Slides


( MS) CHAP1 Problems( MS) CHAP1 Problems

CHAP and MSCHAP both suffer fromCHAP and MSCHAP both suffer frommanman--inin--thethe--middle (no servermiddle (no serverauthentication). Murauthentication). Mur NN verified this.verified this.

MSCHAP1: Failure_PasswordExpiredMSCHAP1: Failure_PasswordExpiredforces bad LanMan hash to be sent forces bad LanMan hash to be sent

8/8/2019 03 - Slides


Th u s Came MSCHAP2Th u s Came MSCHAP2

MSCHAP2 addresses two points:MSCHAP2 addresses two points: Cryptography: uses SHACryptography: uses SHA- -1, MD41, MD4 ManMan--inin--thethe--middle partially solved: servermiddle partially solved: server

authentication through client challengeauthentication through client challengeClient sends its own challenge alongClient sends its own challenge alongwith its responsewith its responseIn success message server sendsIn success message server sendsmonstermonster- -hash backhash back

8/8/2019 03 - Slides


8/8/2019 03 - Slides


MSCHAP2MSCHAP2

To be able to generate response hash, one needsTo be able to generate response hash, one needsto have the plainto have the plain- -text or 1text or 1- -step hashed passwordstep hashed passwordavailable.available.

According to Mur According to Mur NN however there is still a manhowever there is still a man- -inin--thethe--middle attackmiddle attackSolution: send server s name in the hashSolution: send server s name in the hashMSCHAP2 still depends on password integrity!MSCHAP2 still depends on password integrity!

Microsoft decided to keep backwards compatibilityMicrosoft decided to keep backwards compatibilitywith MSCHAP1with MSCHAP1 so the attacker can convince bothso the attacker can convince boththe client and server to negotiate that instead!the client and server to negotiate that instead!

8/8/2019 03 - Slides


Modeling Proced u reModeling Proced u re

Modeled CHAPModeled CHAP discovered basicdiscovered basicattack (MitM)attack (MitM)Modeled MSCHAP1Modeled MSCHAP1 verified MitM,verified MitM,and that intruder could convince client and that intruder could convince client to send LanMan hashto send LanMan hash

Modeled MSCHAP2Modeled MSCHAP2 but ran into abut ran into awallwall

8/8/2019 03 - Slides


Modeling Diffic u ltiesModeling Diffic u lties

Schneier article polluted first attempt.Schneier article polluted first attempt. We knew what we wanted to show, so weWe knew what we wanted to show, so we

designed the model to show it!designed the model to show it! Left out many possible intruder movesLeft out many possible intruder moves Model felt bad and was obviously incompleteModel felt bad and was obviously incomplete

Redesigned model to have a much moreRedesigned model to have a much morerobust intruder.robust intruder.This confirmed MitM for MSCHAP2, whichThis confirmed MitM for MSCHAP2, whichdid not appear with weaker modeldid not appear with weaker model

8/8/2019 03 - Slides


Concl u sionsConcl u sions

Hard to sort through morass of informalHard to sort through morass of informalspecificationsspecifications

MSCHAP2 seems to fix MSCHAP1 problems,MSCHAP2 seems to fix MSCHAP1 problems,but allows for version rollback attacksbut allows for version rollback attacksMurMurNN seems adequate for this protocolseems adequate for this protocol

However, the found attacks are obviousHowever, the found attacks are obviousenough after having formalized the RFCsenough after having formalized the RFCs

8/8/2019 03 - Slides


Concl u sions, cont dConcl u sions, cont d

MSCHAPv2: better crypto, but still only as secure asMSCHAPv2: better crypto, but still only as secure aspasswordpasswordBackwards compatibility removes much of the point Backwards compatibility removes much of the point of an upgradeof an upgrade both for MSCHAPv1 (LanMan hash)both for MSCHAPv1 (LanMan hash)and MSCHAPv2 (compatibility with v1)and MSCHAPv2 (compatibility with v1)MSCHAPv1 mistake (poor hash) should have beenMSCHAPv1 mistake (poor hash) should have beenavoidedavoided Improper, insufficient cryptanalysisImproper, insufficient cryptanalysis

Big problem with MSCHAPv1 is not the fault of theBig problem with MSCHAPv1 is not the fault of theprotocol itself protocol itself MSCHAPv2: more robust crypto, but protocol is stillMSCHAPv2: more robust crypto, but protocol is stillflawedflawed

8/8/2019 03 - Slides


ReferencesReferences

RFCsRFCs http://www.zvon.org/tmRFC/RFC2759/ O utput/index.htmlhttp://www.zvon.org/tmRFC/RFC2759/ O utput/index.html

http://www.zvon.org/tmRFC/RFC2433/O

utput/index.htmlhttp://www.zvon.org/tmRFC/RFC2433/O

utput/index.html http://www.zvon.org/tmRFC/RFC1994/ O utput/index.htmlhttp://www.zvon.org/tmRFC/RFC1994/ O utput/index.html

Schneier papers:Schneier papers: http://www.schneier.com/paperhttp://www.schneier.com/paper- -pptp.htmlpptp.html

http://www.schneier.com/paperhttp://www.schneier.com/paper- -pptpv2.htmlpptpv2.html

8/8/2019 03 - Slides


References, cont dReferences, cont d

MS Knowledge BaseMS Knowledge Base Articles 297816, 285189, 297840, 297818 Articles 297816, 285189, 297840, 297818

MSDN:MSDN: http://msdn.microsoft.com/library/enhttp://msdn.microsoft.com/library/en- -us/wceeap/html/us/wceeap/html/

cxconextensibleauthenticationprotocol.aspcxconextensibleauthenticationprotocol.asp

SMB/CIFS:SMB/CIFS:

What is SMB? What is SMB?, Richard Sharpe, 2002,, Richard Sharpe, 2002,http://samba.org/cifs/docs/what http://samba.org/cifs/docs/what- -isis--smb.htmlsmb.html

Implementing CIFSImplementing CIFS, Christopher R. Hertel, 2003,, Christopher R. Hertel, 2003,http://www.ubiqx.org/cifs/http://www.ubiqx.org/cifs/

03 - slides

Documents