Tuesday, 10 January 2012

X.500 / LDAP / Microsoft's Active Directory Security Features

X.500
X.500 is a compilation of standards developed for the directory services made to support electronic mail exchange. It is first developed by the ITU-T and was approved in 1988. Several protocols defined by the X.500 includes:

  • DAP (Directory Access Protocol) - Protocol used to monitor the communication between the server and clients
  • DSP (Directory System Protocl) - Protocol used to monitor the interaction between a Directory User Agent and a Directory System Agent or two or more Directory System Agents
  • DISP (Directory Information Shadowing Protocol) - Used to monitor the shadowing of information within the Directory System Agent
  • DOP (Directory Operational Bindings Management Protocol) - Protocol used to link up communications between two Directory System Agents
 

Some of the features of X.500 includes:
  • Authentication
    • Uses the X.509 Public Key Infrastructure (PKI) which allows for strong authentication
  • Access Control - To prevent changes from being applied to data files and system resources
A typical communication between a server and a client can happen either in a One-Way Authentication, Two-Way Authentication or Three-Way Authentication. The client firstly request access to the server, which the server will choose to authenticate the client. If the authentication is successful, access is granted to the client. The server will request a service to the client which the client will choose to interact with. If the client were to choose, the client might be redirected to another X.500 server or it will choose to terminate if the client refuses the service.


LDAP
The LDAP (Lightweight Directory Access Protocol) is an application protocol derived from the X.500 standard for accessing and maintaining distributed directory information through a Internet Protocol (IP) network. Some of the security features of LDAP includes: 
  • Limited authentication to authorized users only
  • Secure Socket Layer (SSL) to protect data from being sniffed by hackers
  • Non-intrusive data integration: Schema changes are not required and there are no data stored in the directory
  • PKI (Public Key Infrastructure) - Allows for stronger authentication by utilizing strong encryption
Features of LDAP includes:
  • Scalability: Allows for flexibility in scaling as it does not rely on a specific operating system; being vendor-independent, it allows for flexibility in upgrading hardware and software
  • Availability: Retrieves information from different servers which stores the same directory contents. Should there be a problem in a certain server, other servers can still cater to the client.
  • Security: By utilizing Secure Socket Layer (SSL) and access control lists (ACL), it increases security level by preventing unauthorized users from accessing into the network
  • Manageability: Graphical User Interface (GUI) are implemented for simplicity and it is integrated into both the system administration and data administration. It also allows for changes in schema without extending into the directory schema.


Microsoft Active Directory
Microsoft Active Directory is a directory service created by Microsoft for Windows domain networks. It is designed to handle a large number of read and search operations in addition to implementing changes and updates. The active directory is a central location for network administration and security and it is responsible for authenticating and authorizing users into a Windows domain type network, implementing security policies for all devices and installing or updating software on network computers.


Some of the features of Microsoft Active Directory includes:
  • Simplified user and network resource management
  • Directory consolidation
  • Simple scalability
  • Use of internet protocols and internet standards
  • Interoperability with X.500 standard
  • Compatible with LDAP
  • Provides a single point for access in the network

Some of the security features of Microsoft Active Directory includes:
  •  Cross-Forest trust - Allows for trust between two different domains
  • TLS support - Able to encrypt LDAP traffic
  • WML filtering of Group Policy Object (GPOs) - Provide services that monitor the transmission between two different domains and WMI information can be used to determine whether a GPO should be applied.
  • Delegation of administration - Simplified graphical user interface (GUI) for user account creation and account management.
  • Directory object security
    •  Per property access control
    • Per property auditing
  •  Organization units (OUs) - To separate users, groups and computers in separate containers.

References
http://www.x500standard.com/index.php?n=X500.X500
http://searchnetworking.techtarget.com/definition/X500
http://docs.oracle.com/javase/jndi/tutorial/ldap/models/x500.html
http://support.novell.com/techcenter/articles/img/dnd1998070201.gif
http://msdn.microsoft.com/en-us/library/aa913688.aspx
http://searchmobilecomputing.techtarget.com/definition/LDAP
http://technet.microsoft.com/en-us/library/cc737139%28WS.10%29.aspx
http://www.centrify.com/downloads/public/centrify_wp_active_directory.pdf
http://technet.microsoft.com/en-us/library/cc737139%28WS.10%29.aspx
Posted by at No comments:

Thursday, 5 January 2012

GSM / GPRS Security Feature, Threats and Solution

GSM - Global System for Mobile Communications


The GSM standard started development in 1982 for technologies in the Second Generation (2G) digital cellular networks. Data transmissions over the radio link use digital techniques for full duplex voice telephony. Some security features of GSM include but not limited to:

  • Authentication [ Verification of users to prevent cloning of duplicate users ] - CHAP (Challenge-Handshake Authentication Protocol)
  • Confidentiality [ Prevents eavesdropping of voice, data and sensitive signalling information ] - Encryption of the radio channel 
  • Anonymity [ Protects the user from being tracked by eavesdropping on the radio path ] - Temporary identities

However, there are some security threats pertaining to these features. Some threats include but not limited to:

  • Only access security is implemented - Communications and signalling network in the fixed traffic are not protected
  • Identities cannot be trusted
  • Encryption is lacking in the case of user visibility

This leads to several attacks on the GSM network that include but not limited to:

  • Eavesdropping
  • Impersonation of user
  • Impersonation of network
  • Man-in-the-middle attack


Thus, to reduce the risks of having a security breach, every mobile subscriber is issued with a unique 128-bit secret key (Ki). It it stored in a Subscriber Identity Module (SIM) card which must be inserted into the mobile phone. It is a tamper resistant smart card such that it is unfeasible to extract the subscriber's Ki.

The encryption algorithm of GSM is A5. It has a cipher key of 64-bit which makes it almost impossible to decrypt. This ensures that the information of subscribers is set to a basic level of security.


GPRS - General Packet Radio Service

The GPRS is a packet oriented mobile data service on the 2G and the 3G cellular GSM network, more commonly known as the 2.5G. Its main features is the wireless data services that extends GSM data capabilities for internet access, multimedia messaging services and early mobile internet applications via the wireless application protocol (WAP).

The security features of GPRS are very much similar to GSM. Such features include but not limited to:

  •  Authentication [ Verification of users to prevent cloning of duplicate users ] - CHAP (Challenge-Handshake Authentication Protocol)
  • Confidentiality [ Provides privacy to the subscriber, so that it will be difficult to identify ] - Encryption of the radio channel 
  • User and signalling data confidentiality

Since the security features of GPRS is very much similar to GSM, the threats that they face will also be similar. Some threats include but not limited to:


  • Only access security is implemented - Communications and signalling network in the fixed traffic are not protected
  • Identities cannot be trusted
  • Encryption is lacking in the case of user visibility
  • Fraud issues

This leads to several attacks on the GPRS network that include but not limited to:

  • Eavesdropping
  • Impersonation of user
  • Impersonation of network
  • Man-in-the-middle attack
  • Viruses and trojans

The A3 and A8 algorithms implemented on the SIM are usually together as one algorithm (A3/8) to compute SRES and kc. A3/8 use COMP-128, a keyed hash function. If the comparison is identical, then the mobile subscriber is proven to be genuine by having the correct authentication algorithm A3/8 and Ki.

References
Posted by at 4 comments:
Subscribe to: Posts (Atom)