SlideShare a Scribd company logo

Towards Secure and Dependable Authentication and Authorization Infrastructures

Diego Kreutz, profile picture
Diego Kreutz

The document discusses authentication and authorization infrastructures (AAIs) and proposes building resilient AAIs using a hybrid architecture. The goals are to design mechanisms for fault-tolerant and intrusion-tolerant AAIs while maintaining backward compatibility. The solution involves using Byzantine fault-tolerant state machine replication to replicate authentication servers, securing sensitive data using secure components, and adapting protocols like EAP-TLS and OpenID to work with the replicated architecture. Evaluations show the resilient design improves latency and throughput compared to traditional RADIUS and can tolerate various faults.

Technology
1 of 70
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Towards Secure and Dependable Authentication and Authorization Infrastructures Diego Kreutz, Alysson Bessani, Eduardo Feitosa, Hugo Cunha PRDC2014, Singapore
Cyber threats: state of affairs 2 NSA Director Rogers Urges Cyber-Resiliency Threat Post, Washington, D.C. (United States) Presidential Proclamation: Critical Infrastructure Security and Resilience Month, 2014 The White House, Washington, D.C. (United States) Biggest ever cyber security exercise in Europe today European Commission - PRESS RELEASES, October 30, 2014 Survey: Cyber security priorities shift to insider threats FEDERALTIMES US
Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 3 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client A user requesting network access AAIs are of the most critical pillars of current IT systems!
Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 4 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Credential theft
Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 5 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Access deny/ grant
Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 6 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Access deny/ grant
Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 7 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Permissions & credentials
Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 8 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server What if end-to- end EAP-TLS? EAP-TLS Backend Service Client
Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 9 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server EAP-TLS by itself is still not enough! EAP-TLS Backend Service Client
AAI Federations & Threats A typical AAI Federation among enterprise networks (mobility, …) 10 .PT .SGFederation top-level RADIUS servers Confederation top-level RADIUS sever Institutional level RADIUS servers Network infrastructure, systems and services U1 U2 U3 U4
AAI Federations & Threats A typical AAI Federation among enterprise networks (mobility, …) 11 .PT .SGFederation top-level RADIUS servers Confederation top-level RADIUS sever Institutional level RADIUS servers Network infrastructure, systems and services U1 U2 U3 U4
Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
13 Mapping the current state of affairs of AAIs
14 Current State of Affairs of AAIs Dependability   Security  &  Trust   C1 C2 C3 C4 C6 C5 Exiting systems are of categories C1, C2 and C43 Our goal is to design systems of categories C4-C6
15 What can we do about it? Approach 1: try to fix everything!?
16 What can we do about it? Approach 2: increase the system’s security and dependability Hybrid system architectures, specialized components, clouds, …
Goals 17 Develop new hybrid system architectures for AAIs. Design & Provide mechanisms for building fault- and intrusion-tolerant AAIs
Challenges 18 Arbitrary fault tolerance in AAI systems Ensure confidentiality of sensitive data Keep backward compatibility
Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
20 Traditional RADIUS architecture 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Shared secret Shared secret (confidentiality, integrity)
21 Traditional RADIUS architecture 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Shared secret How to avoid single points of failure?
22 Building a resilient architecture 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Shared secret ‘Multi-path’ by simple replication
23 Building a resilient architecture 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Shared secret How to tolerate arbitrary faults?
24 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Authentication Server & Back-end Backward compatibility & SMR integration BFT-SMR
25 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end How to ensure the confidentiality of shared secrets?
26 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end Solution = secure elements on the RADIUS replicas
27 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end EAP-TLS with BFT-SMR? How can it work? EAP-TLS
28 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end EAP-TLS EAP-TLS handshake with an adapted PRF
29 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end EAP-TLS Let’s simplify by removing the back-ends
30 Sensitive Data & Secure Component (SC) USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! TLS$ EAP$ RADIUS$ BFT.SMaRT$ Authentication Service Replica! OpenID$ HTTP/HTTPS$ Secure$Component$ PuCA$ KNAS$ PrS$ KUser$ ID$ KAssoc$ $ $
31 Sensitive Data & Secure Component (SC) USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! TLS$ EAP$ RADIUS$ BFT.SMaRT$ Authentication Service Replica! OpenID$ HTTP/HTTPS$ DATA Table (NAS | Association)! ! <NAS1 | Handler1> <…, EK1>! <NAS2 | Handler2> <…, EK2>! <NAS3 | Handler3> <…, EK3>! <NAS4 | Handler4> <…, EK4>! …! <NASn | Handlern> <…, EKn>! Secure$Component$ PuCA$ KNAS$ PrS$ KUser$ ID$ KAssoc$
32 Sensitive Data & Secure Component (SC) USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! TLS$ EAP$ RADIUS$ BFT.SMaRT$ Authentication Service Replica! OpenID$ HTTP/HTTPS$ DATA Table (NAS | Association)! ! <NAS1 | Handler1> <…, EK1>! <NAS2 | Handler2> <…, EK2>! <NAS3 | Handler3> <…, EK3>! <NAS4 | Handler4> <…, EK4>! …! <NASn | Handlern> <…, EKn>! Secure$Component$ PuCA$ KNAS$ PrS$ KUser$ ID$ KAssoc$
33 Sensitive Data & Secure Component (SC) USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! DATA Table (NAS | Association)! ! <NAS1 | Handler1> <…, EK1>! <NAS2 | Handler2> <…, EK2>! <NAS3 | Handler3> <…, EK3>! <NAS4 | Handler4> <…, EK4>! …! <NASn | Handlern> <…, EKn>! TLS$ EAP$ RADIUS$ SC methods:!! 1.  HMAC! 2.  DecryptRSA! 3.  SymmCipher! 4.  Confidential! 5.  SignRSA! 6.  GenAssociation 7.  GenNonce BFT.SMaRT$ Authentication Service Replica! OpenID$ HTTP/HTTPS$ Secure$Component$ PuCA$ KNAS$ PrS$ KUser$ ID$ KAssoc$
34 Sensitive Data & Secure Component (SC) Method Protocol Input Output DecryptRSA TLS Packet to be verified. Status of the signature verification. SignRSA TLS Data to sign. RSA signature using the key PrS . SymmCipher TLS/RADIUS Protocol id and data. Ciphered output of the input data. Confidential TLS/RADIUS The packet data. A confidential share of the data. HMAC RADIUS data + encrypted shared key. HMACMD5 of the input data. GenAssoc OpenID Public key and two big integers. Association info + server’s public key. GenNonce OpenID Two big integers. Pseudo random nonce.
35 Sensitive Data & Secure Component (SC) Method Protocol Input Output DecryptRSA TLS Packet to be verified. Status of the signature verification. SignRSA TLS Data to sign. RSA signature using the key PrS . SymmCipher TLS/RADIUS Protocol id and data. Ciphered output of the input data. Confidential TLS/RADIUS The packet data. A confidential share of the data. HMAC RADIUS data + encrypted shared key. HMACMD5 of the input data. GenAssoc OpenID Public key and two big integers. Association info + server’s public key. GenNonce OpenID Two big integers. Pseudo random nonce.
36 How to implement a secure component? A secure component can be “any” device capable of ensuring the ! data and operation confidentiality of the target system/environment.! Smart Cards! Intel SGX! Tamper Resistant a FPGA! A Highly Secured (shielded) Computer! Virtual TPM! (e.g. vTPM)! Secure Hypervisor (e.g. sHyper)!
Generic resilient architecture for AAIS 37 Protocol 2 Service / Application / Device (fS + 1) Gateway (AAI front-end) (fG + 1) Client AAI Replicas (mfR + 1) AAISCs(mfR+1)
Generic resilient architecture for AAIS 38 Protocol 2 Service / Application / Device (fS + 1) Gateway (AAI front-end) (fG + 1) Client AAI Replicas (mfR + 1) AAISCs(mfR+1) Protocol-specific connection between elements
Generic resilient architecture for AAIS 39 Protocol 2 Service / Application / Device (fS + 1) Gateway (AAI front-end) (fG + 1) Client Shared secret AAI Replicas (mfR + 1) AAISCs(mfR+1) Protocol-specific shared secrets
Generic resilient architecture for AAIS Trusted Third Party (TTP) 40 Protocol 2 Service / Application / Device (fS + 1) Gateway (AAI front-end) (fG + 1) Shared secret AAI Replicas (mfR + 1) EAP-TLS AAISCs(mfR+1) Client
Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
Resilient RADIUS architecture 42 801.1X/ EAP-TLS Network Access Server (NAS) (fS + 1) RADIUS Gateway (fG + 1) Symmetric shared secret Resilient RADIUS (3fR + 1) Supplicant RADIUS/ EAP-TLS SMR/ RADIUS/ EAP-TLS
Resilient RADIUS communications 43 NAS RADIUS Gateway RADIUS Replicas Supplicant Trusted Components BFT Agreement 801.1X RADIUS BFT-SMR EAP-TLS BFT Agreement 801.1X RADIUS BFT-SMR EAP-TLS
Resilient OpenID architecture 44 Service Provider (Relying Party) (fS + 1) Resilient OpenID (3fR + 1) SMR/ HTTP/HTTPS/ OpenID 2.0 HTTP/HTTPS OpenID 2.0 steps 4 and 5 Resilient OpenID Identity Provider OpenID Gateway (fG + 1) Client/Web Browser
45 Resilient OpenID communications 1. Service Request 2. Identification Request 3. Identification URL 4. Discovery (YADIS) 5. XRDS Response 6. Association Request (RP DH public-key) 9. Association Response (IdP DH public-key) Association Established 10. Authentication Request 11. Credentials Request / Browser Redirection 12. Credentials 15. Authentication Response 16. Authentication Response Client/Browser Relying Party OpenID Gateway OpenID Replicas Trusted Components 7. Request (Association Handle + MAC Key + DH keypair) 8. Response 13. Credentials + Nonce Random Number request 14. Authentication Assertion + Number
Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
47 Resilient RADIUS vs FreeRADIUS Environment / Configuration Resilient RADIUS 7 machines FreeRADIUS 3 machines CPU MEM Net 2x4 32G Giga Supplicant! Network Access Server (NAS)! (fN + 1) with fN = 0! ! RADIUS ! Servers! (fG + 1) with fG = 1! Symmetric shared secret! Supplicant! Replicated RADIUS (3fR + 1) with fR = 1! Network Access Server (NAS)! (fN + 1) with fN = 0! ! RADIUS ! Gateway ! (fG + 1) with fG = 1! Symmetric shared secret!
48 Resilient RADIUS vs FreeRADIUS Latency
49 Resilient RADIUS vs FreeRADIUS Throughput
50 Resilient RADIUS vs FreeRADIUS Fail-stop (crash) and Byzantine faults Attack FreeRADIUS RADIUS Rep RADIUS Gw Fail-stop 9s delay No delay 9s delay Byzantine Max delay of 9s No delay Up to 9s delay Note: using the default configuration of the RADIUS protocol, i.e., 3s between each retry.
51 Resilient OpenID Average Latency: 78.360ms! Average Latency: 87.343ms! Average Latency: 32.103ms! Environment vCPU ECUs MEM Network Quinta-VMsR 3 --- 4GB Gigabit Ethernet Quinta-VMsG 6 --- 8GB Gigabit Ethernet Quinta-Phy 16 --- 32GB Gigabit Ethernet Amazon-DCs 2 6.5 7.5GB Public WAN
52 Resilient OpenID Near linear gain 0 1000 2000 3000 4000 5000 6000 10 20 40 80 100 200 Quinta-VMs Quinta-PHY Amazon-DCs
53 Resilient OpenID (faults & attacks) 400 600 800 1000 1200 1400 1600 10 20 40 80 100 Numberofauthentications/s Number of OpenID clients ROpenID throughput under chash faults and attacks FF-Exec 1s-Crash 2s-Crash 4s-Crash 8s-Crash 16s-Crash TCP-ACK-A TCP-SYN-A
Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
55 A hybrid architecture for intrusion-tolerant AAIs
56 A hybrid architecture for intrusion-tolerant AAIs A secure component for ensuring the confidentiality
57 A hybrid architecture for intrusion-tolerant AAIs A secure component for ensuring the confidentiality Backward compatibility for both RADIUS & OpenID
58 A hybrid architecture for intrusion-tolerant AAIs A secure component for ensuring the confidentiality Backward compatibility for both RADIUS & OpenID Performance assessment and evaluation under fault & attacks
Towards Secure and Dependable Authentication and Authorization Infrastructures Diego Kreutz, Alysson Bessani, Eduardo Feitosa, Hugo Cunha PRDC2014, Singapore
Cyber Crimes/Attacks! Software Bugs & Vulnerabilities Logical Failures 60 Bugs, failures, threats, attacks, …
Cyber threats: state of affairs 61 NSA Director Rogers Urges Cyber-Resiliency Threat Post, Washington, D.C. (United States) Guide to Cyber Threat Information Sharing (Draft) National Institute of Standards and Technology (NIST) Presidential Proclamation: Critical Infrastructure Security and Resilience Month, 2014 The White House, Washington, D.C. (United States) Biggest ever cyber security exercise in Europe today European Commission - PRESS RELEASES, October 30, 2014 Emerging Cyber Threats Report 2015 Georgia Institute of Technology One million cyber attacks a day on Deutsche Telekom network EU News & policy debates, across languages Survey: Cybersecurity priorities shift to insider threats FEDERALTIMES US
Authentication & Authorization Infra (AAI) 62Client / Web Browser! Service Provider (SP) Relying Party (RP)! OpenID Server! steps 4 and 5! OpenID! Backends! SQL$ LDAP$ Supplicant! AAA! Backends! SQL$ LDAP$ Network Access Server (NAS)! AAA/RADIUS! Server! Symmetric shared secret! 802.1X! RADIUS! AAA$ Traditional OpenID Architecture Traditional RADIUS Architecture Typical Authentication & Authorization Infrastructure Architecture Client! Auth! Backends! SQL$ LDAP$Service! Authentication! Service! Protocol 1! Protocol 2! Protocol 3! Protocol 2!
State Machine Replication (SMR) with BFT-SMaRt 63 Main building blocks (SMR) AAI#Gateway# PROPOSE# WEAK#R0#(leader)# R1# R2# R3# STRONG# REQUEST# REPLY# AAI#Replicas#
64 Vulnerabilities and Threats in AAIs Vulnerability/Supported features RADIUS OpenID Tolerates crash faults (e.g., back-end clusters) YES YES Tolerates arbitrary faults NO NO Tolerates infrastructure outages NO NO Tolerates DDoS attacks NO NO Risk of common vulnerabilities HIGH HIGH Risk of sensitive data leakage HIGH HIGH Protocol security-related vulnerabilities YES YES Susceptibility to resource depletion attacks YES YES
65 Resilient OpenID # of clients Quinta-VMs Quinta-PHY Amazon-DCs 10 501 1489 62 20 769 2540 111 40 986 3487 210 80 1077 4719 401 100 1136 5011 489 200 1424 5290 704 Number of authentications/s Near linear gain.Saturation points.
Wait! What about resource depletion attacks? In virtualized environments, how malicious VMs can affect the execution of non- malicious VMs?
67 Resource Depletion Attacks
68 Resource Depletion Attacks
69 Resource Depletion Attacks 200 400 600 800 1000 1200 1400 1600 10 20 40 80 100 Numberofauthentications/s Number of OpenID clients ROpenID throughput under CPU depletion attacks FF-Exec 3vCPUs-Attack 6vCPUs-Attack 12vCPUs-Attack
70 Resource Depletion Attacks 200 400 600 800 1000 1200 1400 1600 10 20 40 80 100 Numberofauthentications/s Number of OpenID clients ROpenID throughput under attacks QuintaVMs TCP-ACK-A TCP-SYN-A TCP-SYN-ACK-A TCP-SSH-A

More Related Content

PDF
10695 sidtfa sb_0210
Hai Nguyen
 
PPTX
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Frank Lesniak
 
PDF
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
PDF
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
DigiCert, Inc.
 
PDF
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
PPTX
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
kieranjacobsen
 
PDF
Basics of ssl
n|u - The Open Security Community
 
PDF
State of the ATT&CK
MITRE ATT&CK
 
10695 sidtfa sb_0210
Hai Nguyen
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Frank Lesniak
 
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
DigiCert, Inc.
 
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
kieranjacobsen
 
Basics of ssl
n|u - The Open Security Community
 
State of the ATT&CK
MITRE ATT&CK
 

What's hot (20)

PPT
Secure Socket Layer
dwitigajab
 
PPTX
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
PDF
Cisco iso based CA (certificate authority)
Netwax Lab
 
PPTX
SSL/TLS Eavesdropping with Fullpath Control
Mike Thompson
 
PDF
Network security unit 4,5,6
WE-IT TUTORIALS
 
PDF
Secure 3 kany-vanda
Vanda KANY
 
PPT
Secure Socket Layer
Naveen Kumar
 
PPT
SSL & TLS Architecture short
Avirot Mitamura
 
PDF
Deploying Secure Converged Wired, Wireless Campus
Rassul Ismailov
 
PDF
Transforming Security: Containers, Virtualization and Softwarization
Priyanka Aash
 
PDF
CipherWire Networks - SafeNet KeySecure
cnnetwork
 
PPTX
Ccna sv2 instructor_ppt_ch1
SalmenHAJJI1
 
PDF
Managing SSH Acccess Without Managing SSH Keys
Niall Sheridan
 
PDF
Crypt tech technical-presales
Mustafa Kuğu
 
PPTX
Ssl for e commerce
shahab zebari
 
PPT
Websecurity
Merve Bilgen
 
PDF
Protection Saving Positioned Multi-Keyword Scan for Different Information in ...
IRJET Journal
 
PPTX
cisco-nti-Day20
eyad alaa
 
PDF
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
PDF
The New Landscape of Airborne Cyberattacks
Priyanka Aash
 
Secure Socket Layer
dwitigajab
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
Cisco iso based CA (certificate authority)
Netwax Lab
 
SSL/TLS Eavesdropping with Fullpath Control
Mike Thompson
 
Network security unit 4,5,6
WE-IT TUTORIALS
 
Secure 3 kany-vanda
Vanda KANY
 
Secure Socket Layer
Naveen Kumar
 
SSL & TLS Architecture short
Avirot Mitamura
 
Deploying Secure Converged Wired, Wireless Campus
Rassul Ismailov
 
Transforming Security: Containers, Virtualization and Softwarization
Priyanka Aash
 
CipherWire Networks - SafeNet KeySecure
cnnetwork
 
Ccna sv2 instructor_ppt_ch1
SalmenHAJJI1
 
Managing SSH Acccess Without Managing SSH Keys
Niall Sheridan
 
Crypt tech technical-presales
Mustafa Kuğu
 
Ssl for e commerce
shahab zebari
 
Websecurity
Merve Bilgen
 
Protection Saving Positioned Multi-Keyword Scan for Different Information in ...
IRJET Journal
 
cisco-nti-Day20
eyad alaa
 
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
The New Landscape of Airborne Cyberattacks
Priyanka Aash
 
Ad

Similar to Towards Secure and Dependable Authentication and Authorization Infrastructures (20)

PDF
A modern approach to safeguarding your ICS and SCADA systems
Alane Moran
 
PDF
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Karri Huhtanen
 
PDF
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Radiator Software
 
PPT
The 300 Leonidas Solution
matthew.maisel
 
DOCX
AAA server
hetvi naik
 
PPT
E Snet Raf Essc Jan2005
FNian
 
PDF
Mobile Devices & BYOD Security – Deployment & Best Practices
Cisco Canada
 
PDF
Eximbank security presentation
laonap166
 
PPTX
Removing Security Roadblocks to IoT Deployment Success
Microsoft Tech Community
 
PDF
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
DOCX
aug-resume-2015
Roosevelt Sculark
 
PPTX
КЛМ_Урок 1
RaynaITSTEP
 
PPTX
SCADA and HMI Security in InduSoft Web Studio
AVEVA
 
PDF
Cisco Trustsec & Security Group Tagging
Cisco Canada
 
PDF
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
PPTX
Infra & cyberSecurity Presentation - V1.pptx
ossamarashad1
 
PPTX
Cloud security Presentation
Ajay p
 
PDF
Network+ Guide to Networks 7th Edition West Test Bank
mallculangar
 
PDF
ICC Networking Data Security
International Communications Corporation
 
PDF
ICC Networking Data Security
International Communications Corporation
 
A modern approach to safeguarding your ICS and SCADA systems
Alane Moran
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Karri Huhtanen
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Radiator Software
 
The 300 Leonidas Solution
matthew.maisel
 
AAA server
hetvi naik
 
E Snet Raf Essc Jan2005
FNian
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Cisco Canada
 
Eximbank security presentation
laonap166
 
Removing Security Roadblocks to IoT Deployment Success
Microsoft Tech Community
 
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
aug-resume-2015
Roosevelt Sculark
 
КЛМ_Урок 1
RaynaITSTEP
 
SCADA and HMI Security in InduSoft Web Studio
AVEVA
 
Cisco Trustsec & Security Group Tagging
Cisco Canada
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
Infra & cyberSecurity Presentation - V1.pptx
ossamarashad1
 
Cloud security Presentation
Ajay p
 
Network+ Guide to Networks 7th Edition West Test Bank
mallculangar
 
ICC Networking Data Security
International Communications Corporation
 
ICC Networking Data Security
International Communications Corporation
 
Ad

More from Diego Kreutz (8)

PDF
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Diego Kreutz
 
PDF
Infrastructure Resilience against Attacks and Faults
Diego Kreutz
 
PDF
The dark side of SDN and OpenFlow
Diego Kreutz
 
PDF
Software-Defined Networking: Evolution or Revolution?
Diego Kreutz
 
PDF
SDNs: hot topics, evolution & research opportunities
Diego Kreutz
 
PDF
Computação em Nuvem: conceitos, tendências e aplicações em Software Livre
Diego Kreutz
 
PDF
Serviços de rede: uma visão de futuro
Diego Kreutz
 
PDF
SecFutNet project - Secutiry for Future Network
Diego Kreutz
 
Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and oppo...
Diego Kreutz
 
Infrastructure Resilience against Attacks and Faults
Diego Kreutz
 
The dark side of SDN and OpenFlow
Diego Kreutz
 
Software-Defined Networking: Evolution or Revolution?
Diego Kreutz
 
SDNs: hot topics, evolution & research opportunities
Diego Kreutz
 
Computação em Nuvem: conceitos, tendências e aplicações em Software Livre
Diego Kreutz
 
Serviços de rede: uma visão de futuro
Diego Kreutz
 
SecFutNet project - Secutiry for Future Network
Diego Kreutz
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Approach and Philosophy of On baking technology
30anthuong17
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
August Patch Tuesday
Ivanti
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 

Towards Secure and Dependable Authentication and Authorization Infrastructures

  • 1. Towards Secure and Dependable Authentication and Authorization Infrastructures Diego Kreutz, Alysson Bessani, Eduardo Feitosa, Hugo Cunha PRDC2014, Singapore
  • 2. Cyber threats: state of affairs 2 NSA Director Rogers Urges Cyber-Resiliency Threat Post, Washington, D.C. (United States) Presidential Proclamation: Critical Infrastructure Security and Resilience Month, 2014 The White House, Washington, D.C. (United States) Biggest ever cyber security exercise in Europe today European Commission - PRESS RELEASES, October 30, 2014 Survey: Cyber security priorities shift to insider threats FEDERALTIMES US
  • 3. Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 3 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client A user requesting network access AAIs are of the most critical pillars of current IT systems!
  • 4. Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 4 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Credential theft
  • 5. Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 5 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Access deny/ grant
  • 6. Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 6 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Access deny/ grant
  • 7. Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 7 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Permissions & credentials
  • 8. Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 8 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server What if end-to- end EAP-TLS? EAP-TLS Backend Service Client
  • 9. Authentication & Authorization Infra (AAI) A typical Authentication & Authorization architecture in an enterprise network 9 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server EAP-TLS by itself is still not enough! EAP-TLS Backend Service Client
  • 10. AAI Federations & Threats A typical AAI Federation among enterprise networks (mobility, …) 10 .PT .SGFederation top-level RADIUS servers Confederation top-level RADIUS sever Institutional level RADIUS servers Network infrastructure, systems and services U1 U2 U3 U4
  • 11. AAI Federations & Threats A typical AAI Federation among enterprise networks (mobility, …) 11 .PT .SGFederation top-level RADIUS servers Confederation top-level RADIUS sever Institutional level RADIUS servers Network infrastructure, systems and services U1 U2 U3 U4
  • 12. Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
  • 13. 13 Mapping the current state of affairs of AAIs
  • 14. 14 Current State of Affairs of AAIs Dependability   Security  &  Trust   C1 C2 C3 C4 C6 C5 Exiting systems are of categories C1, C2 and C43 Our goal is to design systems of categories C4-C6
  • 15. 15 What can we do about it? Approach 1: try to fix everything!?
  • 16. 16 What can we do about it? Approach 2: increase the system’s security and dependability Hybrid system architectures, specialized components, clouds, …
  • 17. Goals 17 Develop new hybrid system architectures for AAIs. Design & Provide mechanisms for building fault- and intrusion-tolerant AAIs
  • 18. Challenges 18 Arbitrary fault tolerance in AAI systems Ensure confidentiality of sensitive data Keep backward compatibility
  • 19. Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
  • 20. 20 Traditional RADIUS architecture 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Shared secret Shared secret (confidentiality, integrity)
  • 21. 21 Traditional RADIUS architecture 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Shared secret How to avoid single points of failure?
  • 22. 22 Building a resilient architecture 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Shared secret ‘Multi-path’ by simple replication
  • 23. 23 Building a resilient architecture 802.1X RADIUS LDAP, SQL NAS (e.g., WiFi router) Authentication Server Backend Service Client Shared secret How to tolerate arbitrary faults?
  • 24. 24 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Authentication Server & Back-end Backward compatibility & SMR integration BFT-SMR
  • 25. 25 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end How to ensure the confidentiality of shared secrets?
  • 26. 26 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end Solution = secure elements on the RADIUS replicas
  • 27. 27 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end EAP-TLS with BFT-SMR? How can it work? EAP-TLS
  • 28. 28 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end EAP-TLS EAP-TLS handshake with an adapted PRF
  • 29. 29 Building a resilient architecture 802.1X RADIUS NAS (e.g., WiFi router) Authentication Gateway Client Shared secret Authentication Server & Back-end EAP-TLS Let’s simplify by removing the back-ends
  • 30. 30 Sensitive Data & Secure Component (SC) USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! TLS$ EAP$ RADIUS$ BFT.SMaRT$ Authentication Service Replica! OpenID$ HTTP/HTTPS$ Secure$Component$ PuCA$ KNAS$ PrS$ KUser$ ID$ KAssoc$ $ $
  • 31. 31 Sensitive Data & Secure Component (SC) USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! TLS$ EAP$ RADIUS$ BFT.SMaRT$ Authentication Service Replica! OpenID$ HTTP/HTTPS$ DATA Table (NAS | Association)! ! <NAS1 | Handler1> <…, EK1>! <NAS2 | Handler2> <…, EK2>! <NAS3 | Handler3> <…, EK3>! <NAS4 | Handler4> <…, EK4>! …! <NASn | Handlern> <…, EKn>! Secure$Component$ PuCA$ KNAS$ PrS$ KUser$ ID$ KAssoc$
  • 32. 32 Sensitive Data & Secure Component (SC) USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! TLS$ EAP$ RADIUS$ BFT.SMaRT$ Authentication Service Replica! OpenID$ HTTP/HTTPS$ DATA Table (NAS | Association)! ! <NAS1 | Handler1> <…, EK1>! <NAS2 | Handler2> <…, EK2>! <NAS3 | Handler3> <…, EK3>! <NAS4 | Handler4> <…, EK4>! …! <NASn | Handlern> <…, EKn>! Secure$Component$ PuCA$ KNAS$ PrS$ KUser$ ID$ KAssoc$
  • 33. 33 Sensitive Data & Secure Component (SC) USER Table! ! <ID1> <…, Perm>MAC! <ID2> <…, Perm>MAC! <ID3> <…, Perm>MAC! <ID4> <…, Perm>MAC! …! <IDn> <…, Perm>MAC! DATA Table (NAS | Association)! ! <NAS1 | Handler1> <…, EK1>! <NAS2 | Handler2> <…, EK2>! <NAS3 | Handler3> <…, EK3>! <NAS4 | Handler4> <…, EK4>! …! <NASn | Handlern> <…, EKn>! TLS$ EAP$ RADIUS$ SC methods:!! 1.  HMAC! 2.  DecryptRSA! 3.  SymmCipher! 4.  Confidential! 5.  SignRSA! 6.  GenAssociation 7.  GenNonce BFT.SMaRT$ Authentication Service Replica! OpenID$ HTTP/HTTPS$ Secure$Component$ PuCA$ KNAS$ PrS$ KUser$ ID$ KAssoc$
  • 34. 34 Sensitive Data & Secure Component (SC) Method Protocol Input Output DecryptRSA TLS Packet to be verified. Status of the signature verification. SignRSA TLS Data to sign. RSA signature using the key PrS . SymmCipher TLS/RADIUS Protocol id and data. Ciphered output of the input data. Confidential TLS/RADIUS The packet data. A confidential share of the data. HMAC RADIUS data + encrypted shared key. HMACMD5 of the input data. GenAssoc OpenID Public key and two big integers. Association info + server’s public key. GenNonce OpenID Two big integers. Pseudo random nonce.
  • 35. 35 Sensitive Data & Secure Component (SC) Method Protocol Input Output DecryptRSA TLS Packet to be verified. Status of the signature verification. SignRSA TLS Data to sign. RSA signature using the key PrS . SymmCipher TLS/RADIUS Protocol id and data. Ciphered output of the input data. Confidential TLS/RADIUS The packet data. A confidential share of the data. HMAC RADIUS data + encrypted shared key. HMACMD5 of the input data. GenAssoc OpenID Public key and two big integers. Association info + server’s public key. GenNonce OpenID Two big integers. Pseudo random nonce.
  • 36. 36 How to implement a secure component? A secure component can be “any” device capable of ensuring the ! data and operation confidentiality of the target system/environment.! Smart Cards! Intel SGX! Tamper Resistant a FPGA! A Highly Secured (shielded) Computer! Virtual TPM! (e.g. vTPM)! Secure Hypervisor (e.g. sHyper)!
  • 37. Generic resilient architecture for AAIS 37 Protocol 2 Service / Application / Device (fS + 1) Gateway (AAI front-end) (fG + 1) Client AAI Replicas (mfR + 1) AAISCs(mfR+1)
  • 38. Generic resilient architecture for AAIS 38 Protocol 2 Service / Application / Device (fS + 1) Gateway (AAI front-end) (fG + 1) Client AAI Replicas (mfR + 1) AAISCs(mfR+1) Protocol-specific connection between elements
  • 39. Generic resilient architecture for AAIS 39 Protocol 2 Service / Application / Device (fS + 1) Gateway (AAI front-end) (fG + 1) Client Shared secret AAI Replicas (mfR + 1) AAISCs(mfR+1) Protocol-specific shared secrets
  • 40. Generic resilient architecture for AAIS Trusted Third Party (TTP) 40 Protocol 2 Service / Application / Device (fS + 1) Gateway (AAI front-end) (fG + 1) Shared secret AAI Replicas (mfR + 1) EAP-TLS AAISCs(mfR+1) Client
  • 41. Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
  • 42. Resilient RADIUS architecture 42 801.1X/ EAP-TLS Network Access Server (NAS) (fS + 1) RADIUS Gateway (fG + 1) Symmetric shared secret Resilient RADIUS (3fR + 1) Supplicant RADIUS/ EAP-TLS SMR/ RADIUS/ EAP-TLS
  • 43. Resilient RADIUS communications 43 NAS RADIUS Gateway RADIUS Replicas Supplicant Trusted Components BFT Agreement 801.1X RADIUS BFT-SMR EAP-TLS BFT Agreement 801.1X RADIUS BFT-SMR EAP-TLS
  • 44. Resilient OpenID architecture 44 Service Provider (Relying Party) (fS + 1) Resilient OpenID (3fR + 1) SMR/ HTTP/HTTPS/ OpenID 2.0 HTTP/HTTPS OpenID 2.0 steps 4 and 5 Resilient OpenID Identity Provider OpenID Gateway (fG + 1) Client/Web Browser
  • 45. 45 Resilient OpenID communications 1. Service Request 2. Identification Request 3. Identification URL 4. Discovery (YADIS) 5. XRDS Response 6. Association Request (RP DH public-key) 9. Association Response (IdP DH public-key) Association Established 10. Authentication Request 11. Credentials Request / Browser Redirection 12. Credentials 15. Authentication Response 16. Authentication Response Client/Browser Relying Party OpenID Gateway OpenID Replicas Trusted Components 7. Request (Association Handle + MAC Key + DH keypair) 8. Response 13. Credentials + Nonce Random Number request 14. Authentication Assertion + Number
  • 46. Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
  • 47. 47 Resilient RADIUS vs FreeRADIUS Environment / Configuration Resilient RADIUS 7 machines FreeRADIUS 3 machines CPU MEM Net 2x4 32G Giga Supplicant! Network Access Server (NAS)! (fN + 1) with fN = 0! ! RADIUS ! Servers! (fG + 1) with fG = 1! Symmetric shared secret! Supplicant! Replicated RADIUS (3fR + 1) with fR = 1! Network Access Server (NAS)! (fN + 1) with fN = 0! ! RADIUS ! Gateway ! (fG + 1) with fG = 1! Symmetric shared secret!
  • 48. 48 Resilient RADIUS vs FreeRADIUS Latency
  • 49. 49 Resilient RADIUS vs FreeRADIUS Throughput
  • 50. 50 Resilient RADIUS vs FreeRADIUS Fail-stop (crash) and Byzantine faults Attack FreeRADIUS RADIUS Rep RADIUS Gw Fail-stop 9s delay No delay 9s delay Byzantine Max delay of 9s No delay Up to 9s delay Note: using the default configuration of the RADIUS protocol, i.e., 3s between each retry.
  • 51. 51 Resilient OpenID Average Latency: 78.360ms! Average Latency: 87.343ms! Average Latency: 32.103ms! Environment vCPU ECUs MEM Network Quinta-VMsR 3 --- 4GB Gigabit Ethernet Quinta-VMsG 6 --- 8GB Gigabit Ethernet Quinta-Phy 16 --- 32GB Gigabit Ethernet Amazon-DCs 2 6.5 7.5GB Public WAN
  • 52. 52 Resilient OpenID Near linear gain 0 1000 2000 3000 4000 5000 6000 10 20 40 80 100 200 Quinta-VMs Quinta-PHY Amazon-DCs
  • 53. 53 Resilient OpenID (faults & attacks) 400 600 800 1000 1200 1400 1600 10 20 40 80 100 Numberofauthentications/s Number of OpenID clients ROpenID throughput under chash faults and attacks FF-Exec 1s-Crash 2s-Crash 4s-Crash 8s-Crash 16s-Crash TCP-ACK-A TCP-SYN-A
  • 54. Outline Our Solution Goals & Challenges Intrusion-Tolerant AAIs Conclusion Evaluation
  • 55. 55 A hybrid architecture for intrusion-tolerant AAIs
  • 56. 56 A hybrid architecture for intrusion-tolerant AAIs A secure component for ensuring the confidentiality
  • 57. 57 A hybrid architecture for intrusion-tolerant AAIs A secure component for ensuring the confidentiality Backward compatibility for both RADIUS & OpenID
  • 58. 58 A hybrid architecture for intrusion-tolerant AAIs A secure component for ensuring the confidentiality Backward compatibility for both RADIUS & OpenID Performance assessment and evaluation under fault & attacks
  • 59. Towards Secure and Dependable Authentication and Authorization Infrastructures Diego Kreutz, Alysson Bessani, Eduardo Feitosa, Hugo Cunha PRDC2014, Singapore
  • 60. Cyber Crimes/Attacks! Software Bugs & Vulnerabilities Logical Failures 60 Bugs, failures, threats, attacks, …
  • 61. Cyber threats: state of affairs 61 NSA Director Rogers Urges Cyber-Resiliency Threat Post, Washington, D.C. (United States) Guide to Cyber Threat Information Sharing (Draft) National Institute of Standards and Technology (NIST) Presidential Proclamation: Critical Infrastructure Security and Resilience Month, 2014 The White House, Washington, D.C. (United States) Biggest ever cyber security exercise in Europe today European Commission - PRESS RELEASES, October 30, 2014 Emerging Cyber Threats Report 2015 Georgia Institute of Technology One million cyber attacks a day on Deutsche Telekom network EU News & policy debates, across languages Survey: Cybersecurity priorities shift to insider threats FEDERALTIMES US
  • 62. Authentication & Authorization Infra (AAI) 62Client / Web Browser! Service Provider (SP) Relying Party (RP)! OpenID Server! steps 4 and 5! OpenID! Backends! SQL$ LDAP$ Supplicant! AAA! Backends! SQL$ LDAP$ Network Access Server (NAS)! AAA/RADIUS! Server! Symmetric shared secret! 802.1X! RADIUS! AAA$ Traditional OpenID Architecture Traditional RADIUS Architecture Typical Authentication & Authorization Infrastructure Architecture Client! Auth! Backends! SQL$ LDAP$Service! Authentication! Service! Protocol 1! Protocol 2! Protocol 3! Protocol 2!
  • 63. State Machine Replication (SMR) with BFT-SMaRt 63 Main building blocks (SMR) AAI#Gateway# PROPOSE# WEAK#R0#(leader)# R1# R2# R3# STRONG# REQUEST# REPLY# AAI#Replicas#
  • 64. 64 Vulnerabilities and Threats in AAIs Vulnerability/Supported features RADIUS OpenID Tolerates crash faults (e.g., back-end clusters) YES YES Tolerates arbitrary faults NO NO Tolerates infrastructure outages NO NO Tolerates DDoS attacks NO NO Risk of common vulnerabilities HIGH HIGH Risk of sensitive data leakage HIGH HIGH Protocol security-related vulnerabilities YES YES Susceptibility to resource depletion attacks YES YES
  • 65. 65 Resilient OpenID # of clients Quinta-VMs Quinta-PHY Amazon-DCs 10 501 1489 62 20 769 2540 111 40 986 3487 210 80 1077 4719 401 100 1136 5011 489 200 1424 5290 704 Number of authentications/s Near linear gain.Saturation points.
  • 66. Wait! What about resource depletion attacks? In virtualized environments, how malicious VMs can affect the execution of non- malicious VMs?
  • 69. 69 Resource Depletion Attacks 200 400 600 800 1000 1200 1400 1600 10 20 40 80 100 Numberofauthentications/s Number of OpenID clients ROpenID throughput under CPU depletion attacks FF-Exec 3vCPUs-Attack 6vCPUs-Attack 12vCPUs-Attack
  • 70. 70 Resource Depletion Attacks 200 400 600 800 1000 1200 1400 1600 10 20 40 80 100 Numberofauthentications/s Number of OpenID clients ROpenID throughput under attacks QuintaVMs TCP-ACK-A TCP-SYN-A TCP-SYN-ACK-A TCP-SSH-A