Incrementando os níveis de segurança na autenticação com Single Packet Authorization e Device Fingerprinting
Resumo
Uma nova abordagem para controle de perímetro de rede é autenticar antes de a primeira comunicação acontecer, tal como proposto no Software Defined Perimeter (SDP). O uso de Single Packet Authorization (SPA) no SDP é fundamental para que o primeiro acesso ocorra apenas após a autenticação do dispositivo. Entretanto, o problema da conexão TCP subsequente pode persistir em técnicas de autenticação via SPA quando a autenticação está vinculada ao endereço IP, tal como no SPA do SDP. Este trabalho propõe um novo modelo para criação e envio do SPA no SDP. O novo modelo inclui, na estrutura do SPA, um campo de fingerprint de dispositivo. Também é proposto um método para construir e usar o novo campo de fingerprint, a fim de solucionar o gap temporal entre a autenticação do SPA e a conexão subsequente para autenticação do usuário. Os resultados demonstram que a solução proposta combate o acesso indevido e aumenta consideravelmente o grau de dificuldade de detecção, replicação ou leitura dos dados do SPA. Através dos experimentos foi demonstrado que o aumento do tempo de processamento do novo SPA e a geração do fingerprint não comprometem a usabilidade da solução.Referências
Bilger, B., Boehme, A., Flores, B., e Guterman, Z. (2014). Cloud Security Alliance - SDP - Specication 1.0.
Booth, Y. W. e Kumhyr, D. B. (2007). Method and system for tracing missing network devices using hardware ngerprints. In Patent No.: US 7,181,195 B2. USA Patent.
CERT.BR (2017). Cartilha de Segurança para Internet.
Chuah, C. W., Dawson, E., e Simpson, L. (2013). Key Derivation Function: The SCKDF Scheme. In Security and Privacy Protection in Information Processing Systems, pages 125 – 138, Berlin, Heidelberg. Springer Berlin Heidelberg.
Cooper, A., Tschofenig, H., Ph.D., D. B. D. A., Peterson, J., Morris, J. B., Hansen, M., e Smith, R. (2013). Privacy Considerations for Internet Protocols. RFC 6973.
Daemen, J. e Rijmen, V. (1999). AES Proposal: Rijndael. In The Rijndael Block Cipher - Document Version 2 - AES Proposal, pages 1 – 45.
Desai, A., Ankalgi, K., Yamanur, H., e Navalgund, S. S. (2013). Parallelization of AES algorithm for disk encryption using CBC and ICBC modes. In 2013 Fourth (ICCCNT), pages 1 – 7.
Etchegoyen, C. S. (2014). Authentication of computing and communications hardware. In Patent US 8726407 B2. United States Patent.
Gardner, P. B. e Volodarets, V. (2017). Method for determining identication of an electronic device. In Patent No.: US 9,547,780 B2. United States Patent.
Hansen, T. e Eastlake, D. (2011). US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). Internet Engineering Task Force (IETF).
Kaliski, B. (2000). PKCS #5: Password-Based Cryptography Specication Version 2.0. Internet Engineering Task Force (IETF).
Kumar, R. e Talwar, I. (2012). Network Security using Firewall and Cryptographic Authentication. International Journal of Computer Applications (0975 – 8887), 57(23).
Liew, J., Lee, S., Ong, I., Lee, H., e Lim, H. (2010). One-Time Knocking framework using SPA and IPsec. In 2010 2nd International Conference on Education Technology and Computer, volume 5, pages V5 – 213.
Lucion, E. L. R. e Nunes, R. C. (2018). Software Dened Perimeter: improvements in the security of Single Packet Authorization and user authentication. In XLIV Conferência Latino-americana de Informática - CLEI, São Paulo.
M'Raihi, D., Hoornaert, F., Naccache, D., Bellare, M., e Ranen, O. (2005). HOTP: An HMAC-Based One-Time Password Algorithm. Internet Engineering Task Force (IETF).
M'Raihi, D., Machani, S., Pei, M., e Rydell, J. (2011). TOTP: Time-Based One-Time Password Algorithm. Internet Engineering Task Force (IETF).
Newman, C. e Klyne, G. (2002). Date and Time on the Internet: Timestamps. RFC 3339.
Osborn, B., McWilliams, J., Beyer, B., e Saltonstall, M. (2016). BeyondCorp: Design to Deployment at Google. ;login:, 41, 28 – 34.
Peterson, L. L. e Davie, B. S. (2013). Redes de Computadores - uma abordagem de sistemas. Elsevier, 5º edition.
Puthal, D., Mohanty, S. P., Nanda, P., e Choppali, U. (2017). Building Security Perimeters to Protect Network Systems Against Cyber Threats [Future Directions]. IEEE Consumer Electronics Magazine, 6(4), 24 – 27.
Rowland, C., Sandford, A., Balakrishnan, S., e McCasey, M. (2008). Generating globally unique device identication. In Patent No.: US 7428,587 B2. United States Patent.
Spear, B., Beyer, B. A. E., Cittadini, L., e Saltonstall, M. (2016). Beyond Corp: The Access Proxy. Login, 41(04), 28 – 33.
Tariq, M., Baig, M. S., e Saeed, M. T. (2008). Associating the Authentication and Connection-Establishment Phases in Passive Authorization Techniques. In Proceedings of the World Congress on Engineering - WCE 2008, volume I, London, U.K.
Villela, A. D. A. (2007). Access control system based on a hardware and software signature of a requesting device. In Pub. No.: US 2007/0113090 A1. United States Patent.
Ward, R. e Beyer, B. (2014). BeyondCorp: A New Approach to Enterprise Security. ;login:, Vol. 39, No. 6, 6 – 11.
Zorkta, H. e Almutlaq, B. (2012). Harden Single Packet Authentication (HSPA). International Journal of Computer Theory and Engineering, 4(5), 717 – 721.
Booth, Y. W. e Kumhyr, D. B. (2007). Method and system for tracing missing network devices using hardware ngerprints. In Patent No.: US 7,181,195 B2. USA Patent.
CERT.BR (2017). Cartilha de Segurança para Internet.
Chuah, C. W., Dawson, E., e Simpson, L. (2013). Key Derivation Function: The SCKDF Scheme. In Security and Privacy Protection in Information Processing Systems, pages 125 – 138, Berlin, Heidelberg. Springer Berlin Heidelberg.
Cooper, A., Tschofenig, H., Ph.D., D. B. D. A., Peterson, J., Morris, J. B., Hansen, M., e Smith, R. (2013). Privacy Considerations for Internet Protocols. RFC 6973.
Daemen, J. e Rijmen, V. (1999). AES Proposal: Rijndael. In The Rijndael Block Cipher - Document Version 2 - AES Proposal, pages 1 – 45.
Desai, A., Ankalgi, K., Yamanur, H., e Navalgund, S. S. (2013). Parallelization of AES algorithm for disk encryption using CBC and ICBC modes. In 2013 Fourth (ICCCNT), pages 1 – 7.
Etchegoyen, C. S. (2014). Authentication of computing and communications hardware. In Patent US 8726407 B2. United States Patent.
Gardner, P. B. e Volodarets, V. (2017). Method for determining identication of an electronic device. In Patent No.: US 9,547,780 B2. United States Patent.
Hansen, T. e Eastlake, D. (2011). US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). Internet Engineering Task Force (IETF).
Kaliski, B. (2000). PKCS #5: Password-Based Cryptography Specication Version 2.0. Internet Engineering Task Force (IETF).
Kumar, R. e Talwar, I. (2012). Network Security using Firewall and Cryptographic Authentication. International Journal of Computer Applications (0975 – 8887), 57(23).
Liew, J., Lee, S., Ong, I., Lee, H., e Lim, H. (2010). One-Time Knocking framework using SPA and IPsec. In 2010 2nd International Conference on Education Technology and Computer, volume 5, pages V5 – 213.
Lucion, E. L. R. e Nunes, R. C. (2018). Software Dened Perimeter: improvements in the security of Single Packet Authorization and user authentication. In XLIV Conferência Latino-americana de Informática - CLEI, São Paulo.
M'Raihi, D., Hoornaert, F., Naccache, D., Bellare, M., e Ranen, O. (2005). HOTP: An HMAC-Based One-Time Password Algorithm. Internet Engineering Task Force (IETF).
M'Raihi, D., Machani, S., Pei, M., e Rydell, J. (2011). TOTP: Time-Based One-Time Password Algorithm. Internet Engineering Task Force (IETF).
Newman, C. e Klyne, G. (2002). Date and Time on the Internet: Timestamps. RFC 3339.
Osborn, B., McWilliams, J., Beyer, B., e Saltonstall, M. (2016). BeyondCorp: Design to Deployment at Google. ;login:, 41, 28 – 34.
Peterson, L. L. e Davie, B. S. (2013). Redes de Computadores - uma abordagem de sistemas. Elsevier, 5º edition.
Puthal, D., Mohanty, S. P., Nanda, P., e Choppali, U. (2017). Building Security Perimeters to Protect Network Systems Against Cyber Threats [Future Directions]. IEEE Consumer Electronics Magazine, 6(4), 24 – 27.
Rowland, C., Sandford, A., Balakrishnan, S., e McCasey, M. (2008). Generating globally unique device identication. In Patent No.: US 7428,587 B2. United States Patent.
Spear, B., Beyer, B. A. E., Cittadini, L., e Saltonstall, M. (2016). Beyond Corp: The Access Proxy. Login, 41(04), 28 – 33.
Tariq, M., Baig, M. S., e Saeed, M. T. (2008). Associating the Authentication and Connection-Establishment Phases in Passive Authorization Techniques. In Proceedings of the World Congress on Engineering - WCE 2008, volume I, London, U.K.
Villela, A. D. A. (2007). Access control system based on a hardware and software signature of a requesting device. In Pub. No.: US 2007/0113090 A1. United States Patent.
Ward, R. e Beyer, B. (2014). BeyondCorp: A New Approach to Enterprise Security. ;login:, Vol. 39, No. 6, 6 – 11.
Zorkta, H. e Almutlaq, B. (2012). Harden Single Packet Authentication (HSPA). International Journal of Computer Theory and Engineering, 4(5), 717 – 721.
Publicado
02/09/2019
Como Citar
LUCION, Everson Luis; NUNES, Raul.
Incrementando os níveis de segurança na autenticação com Single Packet Authorization e Device Fingerprinting. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 1-14.
DOI: https://doi.org/10.5753/sbseg.2019.13958.