Identity authentication protocol is the basic mechanism to realize authentication and authorization in computer network. With the development of the Internet, more and more applications need to provide access control and identity authentication mechanisms for remote users. In order to realize identity authentication more securely and reliably, people continuously propose new identity authentication protocols, such as key-based Kerberos protocol, XML-based SAML protocol, open standard-based OAuth2.0 protocol, and so on. Each of these protocols has different characteristics and application scenarios, providing users with more secure, intelligent and convenient identity authentication services. With the emergence of new technologies in the future, identity authentication protocols will continue to develop and innovate to bring users a better experience.
A Brief History of Identity Protocol Development
Early identity authentication protocols were mainly based on passwords or ciphers for verification. These protocols have security issues such as plaintext transmission, replay attacks, and man-in-the-middle attacks, so they are easy to be attacked and cracked by hackers. The most famous of these are Password Authentication Protocol (PAP) and Challenge-Response Authentication Protocol (CRAP).
With the development of encryption technology and public key infrastructure (Public Key Infrastructure, PKI), a series of identity authentication protocols based on public key encryption technology and digital certificates have emerged, such as protocols based on Secure Sockets Layer (Secure Sockets Layer, SSL) and Transport Layer Security (Transport Layer Security, TLS), and identity authentication protocols based on X.509 digital certificates. These protocols can provide higher security and trustworthiness, but due to the management and distribution of certificates, they are not flexible and easy to use.
In the era of Web 2.0, identity authentication protocols have been significantly developed and innovated. In 2005, the OpenID protocol was first proposed. It is a lightweight distributed identity authentication protocol that allows users to use one identity to authenticate on multiple websites. OpenID adopts a decentralized identity provider (Identity Provider, IdP) model, and users can use the same credentials to log in on different websites. In 2010, the OAuth protocol was proposed, which is an open standard protocol for authorization that allows users to authorize third-party applications to access protected resources on their behalf.
OAuth uses tokens for authorization, and users can authorize third-party applications to access specific resources without providing them with sensitive information such as usernames and passwords.
In addition, there are SAML (Security Assertion Markup Language) protocol and Kerberos protocol, which are token-based identity authentication protocols that can provide higher levels of security protection and interoperability. The SAML protocol is an open standard protocol based on XML, which is used to transfer identity authentication and authorization information between different security domains. It adopts the trust model and single sign-on (Single Sign-On, SSO) technology, which can realize cross-domain authentication and authorization. The Kerberos protocol is a symmetric key authentication protocol, which can provide higher security and efficiency, and is widely used in enterprise networks and operating systems.
In addition to the above protocols, there are some other authentication protocols, such as LDAP (Lightweight Directory Access Protocol), NTLM (NT LAN Manager), and the recently popular OIDC (OpenID Connect). LDAP is a client-server model-based protocol for accessing and maintaining distributed directory services. NTLM is a Windows domain-based authentication protocol developed by Microsoft for authentication in the Windows operating system. OIDC is an open standard protocol built on top of OAuth2.0 for authentication and authorization in web applications.
Identity protocol attack surface
Identity protocols have been developed to this day and have been widely used in all aspects of the network world. While identity protocols bring convenience, there are more or less various risks, and are being exploited by attackers. According to the identity protocol threat research, the following common risks of identity protocols can be sorted out from the protocol dimension.
In the Windows domain, the three identity protocols Kerberos, NTLM, and LDAP are often used together by attackers to form a perfect attack chain. At the beginning, the attacker will collect information through the LDAP protocol, look for sensitive users or sensitive groups in the domain, and obtain as much sensitive information as possible in the domain. Then, in order to expand the results and gain more control over the host, the attacker may use NTLM's PHT and relay to laterally reach other hosts. After obtaining the domain management authority, the attacker may use kerberos-related golden tickets, silver tickets, delegation and other attack methods to maintain authority in order to maintain persistent control over the domain. In short, the flexible use of these three protocols by attackers in the domain will have a significant attack effect and cause a major impact.
On the web side, we often see OAuth2.0, OIDC, SAML, CAS and other protocols. Attackers will use leaked credentials, forged credentials, session hijacking, CSRF and other attack methods to attack identity protocols. For example, the OAuth2.0 protocol allows third-party applications to obtain limited access to users' protected resources, and attackers can use the user's OAuth authorization token to access its resources without the user's informed consent, which may lead to the user's privacy disclosure and enable the attacker to access the user's sensitive information. In addition, in the SAML protocol, an attacker may use Golden SAML to carry out an attack, obtain all access rights of the corresponding system, and pretend to be any user on the target system.
With the gradual development of single sign-on technology, IAM based on multiple identity authentication protocols has become an identity infrastructure favored by enterprises and developers. At the same time, attackers are gradually turning to attacks and research on this type of identity infrastructure. Common attack methods against identity infrastructure are as follows:
Identity Leakage : Identity Leakage refers to hackers stealing legitimate user accounts and passwords through various means, and then gaining access to protected resources. Hackers can use social engineering attacks, phishing, etc. to obtain user identity authentication information.
身份盗用:身份盗用是指黑客通过使用其他人的身份信息来获得合法用户的权限,或者在系统中创建一个新的账户,并假冒合法用户来获取权限。黑客可以通过暴力破解、Token窃取、会话固定等方式实施身份盗用攻击。
身份提升:身份提升是指黑客通过某种手段将自己的权限提升为更高级别的权限,以获得对更高级别资源的访问权限。黑客可以通过绕过身份验证、修改用户账户设置等方式实施身份提升攻击。
跨站点请求伪造(CSRF):CSRF攻击是指黑客通过欺骗用户点击恶意链接,来使用户的浏览器向服务器发送伪造的请求,以执行黑客所期望的恶意操作。黑客可以通过CSRF攻击来伪造用户的身份、执行非法的操作等。
会话劫持:会话劫持是指黑客通过某种手段获取合法用户的Session,并以此来访问系统受保护的资源。黑客可以通过窃取会话Cookie、使用会话固定攻击等方式实施会话劫持攻击。
由此可见,身份协议存在众多风险,在真实环境中,攻击者往往会利用身份协议去突破企业的纵深防御,攻陷企业重要系统。关于身份协议的更多详细攻击方式请参考《ITDR身份认证协议》白皮书。
身份协议安全如何保证
身份协议作为身份认证与授权的底层支撑,如果它的安全性受到威胁,那么依赖它传输的数据以及系统内部的资源的安全性也得不到保障。因此,保护身份协议免受攻击意义重大。为了保护身份协议免受攻击,可通过中安网星ITDR平台对身份基础设施进行安全加固及实时攻击检测。
ITDR(身份威胁检测与响应)平台是中安网星推出的针对身份威胁检测与响应高级威胁分析平台。主要围绕Identity及Infrastructure为核心进行防护,涵盖主流身份基础设施及集权设施,围绕从攻击的事前加固、事中监测,事后阻断出发,产品的设计思路覆盖攻击者活动的全生命周期。
