黑帽'08透露,造成数人坐起来,并采取通知几个SSLVPN和DNS漏洞。一些新的漏洞来进行对SSLVPN隧道辉煌的中间人攻击。我将向您介绍如何使用证书,而不是OTP令牌,对于第二个因素认证可以提高你的SSLVPN解决方案的安全性对这些新类型的攻击。我写了一个文章之前提到过使用证书作为向SSL或IPSEC VPN进行身份验证的第二个因素。这个模型是基于Cisco ASA 8的一个特性。允许将SSL VPN配置为需要证书和AAA身份验证。然而,在过去的8个月里,在参加了今年的黑帽会议之后,我对这个问题有了一些新的想法,并且发现了一种新的工具来帮助使它成为一个可行的解决方案。首先,我们需要解决基本问题;证书是有效的第二个因素吗?正如在以前的文章和线程中讨论的,PCI节8.3表明他们是;或者,至少我们可以说它们是为了PCI的依从性目的。这一假设产生了很多关于“你拥有的和你知道的”双因素认证模型的反馈。其中一种流行的观点是,如果一个“认证”系统丢失或被盗,获得访问权限的唯一途径就是从电脑中提取用户名和密码,如果密码保存在浏览器中,那么工作就完成了。 I did mention that tokens could be lost too, but what is more likely to be noticed a lost laptop, or a lost token? And, since the certificate alone cannot grant access to the SSL VPN, couldn’t we just change the password to lock out the lost system? That seems to help minimize the damage of a lost computer. Another thing we could do to help tighten up the overall security of our system is create certificates with limited lifetimes. Instead of a certificate being good for a year or more, we could set them up to be good for only 90 days, or even less. Yes, I know that you are laughing at me and think I have gone out of my mind to suggest this, but read to the end, there is a way. So, I was not necessarily convinced that certificates are a valid factor when I first wrote about this, but I have turned that corner. One thing that helped me step in this direction is the added security value of certificates over password replacements with these new attack vectors that announced recently. Most two-factor authentication solutions are some form of One-Time-Password (OTP), which is really just a password replacement. So, how much security do passwords really give us? Let’s look at how a Man-in-the-Middle (MITM) Attack against an SSLVPN session works when using an OTP solution and how it works using a Certificate solution. The MITM attack will showcase some of the new DNS attack techniques and show how a lack of oversight by some Certificate Authorities affects your security. At Black Hat ‘08 there was a great demonstration of how valid “internal testing only” FQDN certificates for URLs that you don’t control can be obtained by anyone asking. The one obtained by the researcher at Black Hat was for MSFT’s https://login.live.com site, he didn’t disclose the CA that issued it to him but it was one that was trusted in IE by default. Having these completely valid certificates allows a MITM attack to be staged without generating a browser security warning saying the certificate has issues. (see my previous article on the subject at //m.banksfrench.com/community/node/30822). First, let’s looks at a MITM SSLVPN attack where two-factor authentication is done using username and an OTP token device. See the diagram for a flow of what is happening, in order. The first thing, not shown in the diagram, the attacker will do is a Google search or perimeter scan to figure out what SSLVPN URL to go after. A good search term to use is something like https://sslvpn. They will then go to all of the trusted CA’s and try to get them to issue them a valid “internal only” certificate with the FQDN of a target sslvpn URL. As soon as they get a success, that company now becomes their target of choice. Remember, the certificate they need can be issued from any trusted CA in the browser and does not need to match the CA that the SSLVPN gateway is using. Now for 10 steps to MITM success: MITM SSLVPN attack with OTP device [img]http://www.jheary.com/mitm-otp.jpg[/img]
这里解释了10个步骤:攻击者启动客户端或DNS服务器端DNS中毒攻击,改变https://sslvpn.xyz.com DNS记录指向MITM代理服务器IP地址,而不是真正的SSLVPN头端设备。有关各种新的DNS攻击技术的详细信息,请参阅http://www.workorsecurity.com/dns.php。2.在选择客户端时,用户将启动到其办公室的SSLVPN连接。因为,SSLVPN登录url已经更改为指向攻击者的代理服务器,这是他们的连接请求去的地方。他们真正的SSLVPN头端设备不会看到这个请求。3.代理非常兴奋,因为它有了一个新的受害者,并愉快地与受害者完成了SSL握手。关键是,它使用从一个受信任的CA获得的坏的完全合格域名证书来建立连接。 Since the client trusted the CA that issued the cert and the certs FQDN matches that of the real sslvpn headend device, the client is just as excited as the attacker proxy is. Oh goody I am about to connect up to my real sslvpn server. 4. The proxy then asks the real SSLVPN headend to initiate a session. 5. The SSLVPN headend completes a handshake with the attackers proxy. 6. Once the sslvpn handshake is completed it asks the proxy for credentials. 7. The proxy forwards the credential request to the real client using it’s own session. 8. The user enters their username grabs their OTP token, puts in their pin number, and then inputs the generated password into the password field. 9. The proxy copies the provided credentials and then politely informs the client that indeed it provides a correct username and OTP password and establishes a full SSLVPN tunnel between itself and the victim client. The client is thrilled that the proxy trusts its credentials and gleefully participates in full SSLVPN tunnel establishment. Now, behind the scenes it uses the previously copied credientials from the victim to authenticate itself against the real SSLVPN headnend. Now everyone is pleased on that side too and the proxy and sslvpn headend establish their own SSLVPN tunnel. 10. Walla!!!(内部笑话,看看我以前的帖子评论)时,攻击者已经成功地建立了中间人位置,并且可以清楚地看到所有受害者数据。他还可以自由地复制、修改或删除任何一方发送或接收的数据。
那么如何使用证书作为第二个因素来防止这种类型的攻击呢?简而言之,这是因为证书身份验证需要相互身份验证/验证。这意味着双方都不相信对方。在上面的场景中,客户端通过sslvpn的证书验证了它的身份。当使用证书时,我们要求sslvpn头端也必须验证客户端的身份。这是通过向所有用户的PC发出客户端证书来实现的。好吧,为什么我们不直接去CA,然后也欺骗客户端证书呢?因为它不起作用。更改是,VPN头端将只与配置为信任的CA检查客户端证书的有效性。这可能是内部CA或外包CA,这与上面示例中的客户端形成对比,后者信任其密钥存储库中已经拥有的任何CA。 FYI, Firefox has over 40 trusted CA’s by default!
好,您会问,如果攻击者以某种方式获得了SSLVPN头端信任的CA,从而向他们发出“内部专用”证书,该怎么办?他们会有另一个问题。一些SSLVPN设备(如Cisco ASA)可以使用客户端证书中嵌入的信息来预填字段(如用户名)。因此,当客户端登录用户名时,他们输入的用户名将被忽略,ASA将使用作为客户端证书一部分的用户名。这意味着攻击者必须事先知道他们的用户名是什么(或需要的任何其他预填写信息),然后才能向受信任的CA请求“内部的”证书。
下面是使用用户名/密码和证书进行身份验证和加密时的流程。图:使用Username/pwd和Certs [img]http://www.jheary.com/mitm-certs.jpg[/img] MITM SSLVPN攻击失败
2)握手:ServerHello, Certificate, CertificateRequest, ServerHelloDoneChangeCipherSpec;已完成(此步骤在不拥有客户端证书的情况下失败)握手:完成
因此,如您所见,在客户端放置证书可以阻止攻击者死亡。使用客户机证书时,SSL协商基于客户机和服务器的公钥/私钥对。这意味着攻击者必须拥有有效的个人证书才能进行身份验证。多年来,证书的价值已经得到承认,密码学也得到了很好的审查。使用客户端证书保护网络的最大问题是管理。最近加入思科认证技术开发合作伙伴的多因素公司(MultiFactor Corp.)已经克服了管理负担SecureAuth用于Cisco VPN产品。SecureAuth提供了一个强授权的、用户自服务的证书部署平台。我正在运行一个演示系统,它的安装和与我的SSL VPN集成非常简单。实际上,我在不到一小时的时间内部署了PKI,没有为我的SSL VPN增加管理开销,而且它使用起来非常简单,一般终端用户只需要很少或根本不需要培训。
它是这样工作的:SecureAuth作为一个设备部署在ASA的DMZ中,并使用安全LDAP连接到我现有的后端AD。ASA被配置为自动将未经认证的浏览器引导到SecureAuth注册过程。当用户成功登录时,他们将立即被定向到注册,而不经过门户。下一步是注册授权。SecureAuth有很多注册方法,其中包括通过短信或电话发送注册码(语音为您读出代码),而代码仅适用于该会话。SecureAuth使用的电话号码都在我的广告中,因此我不必创建新的身份验证数据库,也不必为它维护任何单独的用户数据库。注册授权完成后,客户端系统生成公钥/私钥对,发送签名请求,然后安装完成的证书。下面是SecureAuth过程的一些截图。
[img=450x350]http://www.jheary.com/secur1.jpg[/img] http://www.jheary.com/secur2.jpg[/img] [img=450x350]http://www.jheary.com/secur3.jpg[/img]
现在,当用户返回到SSL VPN时,将显示并验证证书,并将用户定向到访问SSL VPN的身份验证页面。访问的第二个因素几乎是不可见的,但增加了连接的各种安全价值;密码替换不能做的事情。还记得我是怎么提到短期证书的吗?看起来很荒谬,是吧?处理过期证书和重新注册证书一直是一个非常麻烦和痛苦的过程。然而,使用ASA和SecureAuth解决方案,当我的证书到期时,ASA会简单地把我送回证书注册,我只需再次完成注册过程。或者,如果我回家后想用另一台电脑,我就从那里注册。如果您想限制什么类型的设备可以登录,您可以控制cert注册,或者使用ASA中的特性来执行登录前主机评估/扫描。例如,评估结果可以确定主机是公司拥有的资产还是kiosk PC。
为SSL VPN使用客户端证书肯定会以密码替换(读取OTP令牌)所不能的方式增加安全性价值。模型中当然有一些折衷,但考虑到最近公布的DNS缺陷和随后的攻击量,考虑如何保护您的SSL VPN连接的网络层似乎是合理的。证书似乎是最好的,也许是唯一的方法。您现在所需要的只是一个工具(如SecureAuth),可以让您的最终用户在没有巨大管理负担的情况下使用它们……哦,如果您真的,真的想要大量的安全性,可以在证书之上运行令牌。
非常感谢Mark Lambiase对这篇博客文章的帮助。有关SecureAuth的更多信息,您可以通过mlambiase@multifa.com直接与他联系。或者到www.multifa.com使用自己的ASA机箱安装一个免费试用版。
Cisco ASA产品线可以同时支持使用用户名/密码和认证证书,更多信息请访问http://www.cisco.com/go/asa。最后,如果有人知道其他公司正在做类似于SecureAuth的事情,我很想知道。
那么,你有什么想法呢?证书真的比OTP设备更安全吗?基于以上信息,你还能证明OTP解决方案与证书相比增加的成本吗?相对于基于证书的解决方案,您认为OTP还有哪些优势?我试着不选边站,但是不选边站对我来说越来越难了。
在此陈述的观点和信息是我的个人观点,而不是我的雇主。