Network Authentication - Flex Radio SDR

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Internet Protocol Security (IPSec)
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Team Daniel Scarlett Miles O’Keefe Cody Clark Samuel Pesek Network/authentication model for Flex Radio’s SDR over WAN.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
Phil Hurvitz Securing UNIX Servers with the Secure.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
HardSSH Cryptographic Hardware Key Team May07-20: Steven Schulteis (Cpr E) Joseph Sloan (EE, Cpr E, Com S) Michael Ekstrand (Cpr E) Taylor Schreck (Cpr.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester December 2009.
Virtual Private Networks
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Key management issues in PGP
TOPIC: HTTPS (Security protocol)
Chapter 5 Electronic Commerce | Security Threats - Solution
Web Applications Security Cryptography 1
Ssh: secure shell.
Tutorial on Creating Certificates SSH Kerberos
Secure Software Confidentiality Integrity Data Security Authentication
Remote Access Lecture 2.
Secure Sockets Layer (SSL)
SECURE SHELL MONIKA GUPTA COT 4810.
Radius, LDAP, Radius used in Authenticating Users
Chapter 5 Electronic Commerce | Security Threats - Solution
Web Services Security.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Introduction to SQL Server 2000 Security
Tutorial on Creating Certificates SSH Kerberos
Using SSL – Secure Socket Layer
Unit 27: Network Operating Systems
– Chapter 3 – Device Security (B)
Chapter 27: System Security
Goals Introduce the Windows Server 2003 family of operating systems
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
Firewalls Routers, Switches, Hubs VPNs
– Chapter 3 – Device Security (B)
SECURITY IN THE LINUX OPERATING SYSTEM
Module 8: Securing Network Traffic by Using IPSec and Certificates
Chapter 7 Network Applications
Designing IIS Security (IIS – Internet Information Service)
Test 3 review FTP & Cybersecurity
Preventing Privilege Escalation
Instructor Materials Chapter 5: Ensuring Integrity
Presentation transcript:

Network Authentication - Flex Radio SDR 2.6 Network Authentication - Flex Radio SDR Project team members Project Design Manager Daniel Scarlett Senior Design Engineer Miles O’Keefe Samuel Pesek Cody Clark

Outline Background Information Design Details Validation Test Plan Impacts and Issues Schedule Budget Stretch Goals Future Upgrades Conclusion

Background Information

Project: Develop authentication method to access the radio over WAN System Diagram Project: Develop authentication method to access the radio over WAN

History of Remote Access Telnet - 1960’s Early remote access technology tools usually “listened” to dedicated ports and relied on relatively insecure passwords. This allowed hackers to monitor certain ports and intercept encrypted data. Due to plain text streams, Telnet was never secure by default. rlogin, rsh, rcp - 1980’s Application layer protocol, and just like Telnet, a user could log into the remote system with a password, but rlogin additionally allowed automatic (passwordless) logins for users on trusted remote computers.However, like Telnet, rlogin still used plain text communications over TCP port 513 by default. SSH - 1990’s Network protocol, consequently as criteria of remote access software, the next iteration of this technology involved creating a safe tunnel for data. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary.

Design Details

Possible Solutions Username/Password Advantages Easy to implement/deploy and commonly used for both network and system access Easy to administer - password resets can be done automatically User familiarity - most used authentication model Disadvantages Low security - credentials can be easily stolen All parts of password transmission can lead to exposure Users are rationally ignorant - would likely use call signs for login

Possible Solutions Certificate (PKI) Advantages Works behind the scenes - user doesn’t have to do anything Doesn’t require the transmission of the secret - mitigates all sorts of storage/transmission weak points Issued by a trusted party - allows for a centralized management system Disadvantages Deployment is complex and thus expensive - an external database is needed. Still requires a password - almost any private key pair storage mechanism is then unlocked with a PIN Certificate Status reporting and updates are not easy - revoking a user credential that has become corrupted is onerous due to the size and complexity of the infrastructure

Possible Solutions Cryptographic Key Server Advantages High level of confirming authentication of user through the use of cryptography The existing telnet way of communicating with the radio remains unencrypted which is upgraded to an SSH communication channel providing a secure tunnel traffic To help keep the radio from being compromised, the client has to authenticate with the key server every (x) amount of time until a session has ended. For end users, this scheme would make using the radio secure as authentication would occur continuously throughout the session Disadvantages Encryption/Decryption is used by the key server which takes up additional resources of processing power used by the microprocessor Private key must be kept confidential Connecting to the radio for initial setup would have to be through LAN

Chosen Model Cryptographic Key Server and Client Model Username/Password had too weak of security for customer’s requirements Certificate would be too complex and expensive Key server is central to radio itself - no external database needed Use of cryptography is the most secure way of authentication and communication This method of authentication could prove to work the best with Flex Radio.

Proposed Design A lightweight cryptographic key server database and the tools used to implement will be compiled onto the radio (eg. Dropbear, GnuPG, openSSH) Upon bootup of the radio, the key server daemon will listen for requests on its corresponding ports until an authenticated user has been accepted If the radio has access to the WAN, the location of the key server database is updated in a DynDNS lookup table for the client to find the location of the key server If the client making the request to the radio are within the LAN address range then SSH access to the radio is automatically opened and the client will then access a startup script to add/delete users

Proposed Design The client is then enabled to access the radio over WAN via SSH at which time the session begins, invoking a startup script that sends a challenge/response signed and encrypted message to the client (added user) The client decrypts the message and sends the response message back signed with the private key of the client and encrypted with the public key of the radio The radio decrypts and validates the message by the digital signature that was signed by comparing against the public key stored in the key server’s database The client then gains access to the radio’s services

Block Diagram of Proposed Design

Implemented Design A Raspberry Pi B+ was used to replicate the radio’s specifications Similar operating system (linux) and microprocessor (ARM) Didn’t want to damage our client’s provided SDR The Pi had to be configured in a couple different ways Default user had to be added that had root and superuser privileges NOIP’s Dynamic Update Client (DUC) was installed for remote access over WAN SSH server/client configuration files were altered

Implemented Design A default user was added with the privileges of root level admin access to add and delete users and groups through LAN A hostname and domain name were created through a 3rd party source (NOIP.com) free of charge After downloading and configuring the NOIPS’s dynamic update client (DUC), the Pi was ready for remote access using a URL that was assigned from NOIP’s online hostname tool

Implemented Design The IP address was dynamically updated from the Pi to ensure the correct network address translation (NAT) would stay current The user could then SSH into the Pi given the SSH files being configured properly which allowed the client to upload their SSH key pair, only over LAN Over WAN, the Pi validates the user via key pair and pw

Block Diagram of Implemented Design Didn't have time to produce with errors encountered.

Problems Encountered Changing customer requirements after 1st semester Spent a lot of time on research to gain the required knowledge to solve this design Start-up scripts that would work behind the user’s interface Challenge/response script that would check validity of user every (x) amount of time The basic task of cryptographic security between the server/client using the public key method was done through manual configuration of the Pi Initially produced a solution with VPN. Time constraints resulted in start up scripts and Challenge Response not being fully operational.

Validation Test Plan

Validation Test Plan Test Cases Default user can access the Pi only over LAN Restricting access from unauthorized users on LAN/WAN New user can upload public key only over LAN User can access Pi over LAN with password authentication User can access Pi over WAN with public key and pw authentication

Validation Test Results Test Cases Default user can access the Pi only over LAN - Pass Restricting access from unauthorized users on LAN/WAN - Pass New user can upload public key only over LAN - Pass User can access Pi over LAN with password authentication - Pass User can access Pi over WAN with public key and pw authentication - Pass

Impacts and Issues

Impacts and Issues Societal Impact Our model would provide the user a safe and secure remote connection to their internet connected SDRs Environmental Impact Unauthorized transmission of radio broadcasts Security Issue Exposure of a user’s personal information to potential hackers Ethical Issue Client doesn’t want the system to be compromised and a hacker to be able to take control of a lot of radios and create mass controllable bots of SDRs

Schedule

Project Structuring & Conceptual Design Schedule Fall 2014 Semester Spring 2015 Semester 17/Sep/14 08/Oct/14 12/Nov/14 05/Dec/14 15/Jan/15 11/Mar/15 30/Mar/15 20/Apr/15 5/May/15 Project Structuring & Conceptual Design Design Phase 1 Resource problem & potential methods to solve Design Phase 2 Develop several solutions for problem Present Potential Solutions Select a solution to implement Implement the chosen solution into a working model CDR Presentat-ion Validation testing of the chosen model Deliver Finished product and documents to client

Budget

Budget Development Budget Research Time Software Development Hours Raspberry Pi B+ - $70 Production Budget Domain & Hosting < $150/yr

Stretch Goals

Stretch Goals Code all the different necessary scripts that are done behind the scenes of the user Fully implement a working solution using a Raspberry Pi and a client connected through the internet Provide a demonstration of a client connecting over WAN to the Pi

Future Upgrades

Future Upgrades Implement the model into existing radios Code and implement startup scripts Expand the use of check session lengths with the use of nonces to continually authenticate the client with the radio $20 YubiKey used for challenge/response, One Time Password, and securely holding RSA key pairs

Conclusion

Conclusion This method of authentication will provide the best balance between security/authentication and usability of the application. The cryptographic use of the encrypted communication channel that SSH uses and the authentication method we will use shall verify a user that has already been added to the keyserver database. Behind the client interface is where the authentication scheme is used so a user understanding cryptography is unnecessary which makes for a user friendly experience.

Thank You!