CMPE208 Presentation

Terminal Access Controller Access Control System Plus

(TACACS+)

By MARVEL

(Libing, Bhavana, Ramya, Maggie, Nitin)

Agenda

Introduction – TACACS+ Format and Header Values TACACS+ Operations (AAA) Vulnerabilities Conclusion

Introduction – TACACS+ TACACS+ (terminal access controller access-control system

plus), pronounced as “tack-acks plus”

TACACS+ originated from the TACACS and extended TACACS protocols. But it is not compatible with them.

A Cisco proprietary protocol.

provides the access control for routers, network access servers, and many other networked computing devices through one or more centralized servers.

Provides separate Authentication, Authorization, and Accounting services for server access.

Format and Header Values Every TACACS+ packet has the 12 byte header. Always sent in clear text format.

TACACS+ Authentication

who is allowed to gain access to the network. Using usernames and passwords, or “one time”

passwords. takes place when the user first logs in to a machine

or requests a service of it. packet types: START, CONTINUE and REPLY.

START and CONTINUE are always sent by the client; REPLY is always sent by the daemon.

TACACS+ Authentication Process

Authentication Process 1. connection request from the user;

2. START packet is sent to the AAA server;

3. REPLY packet is sent back, requesting user name;

4. sends a CONTINUE packet to AAA server with username;

5. REPLY packet is sent back, asking password;

6. sends a CONTINUE packet to AAA server with password;

7. REPLY packet is sent back to indicate a pass/fail of authentication;

TACACS+ Authorization

what a user is allowed to do.

what services the user has access to.

customize the service for the particular user.

An authorization session is defined as a single pair of messages, a REQUEST followed by a RESPONSE.

TACACS+ Authorization Process

Authorization Process 1. resource request from the

user; (assuming authentication has already taken place)

2. A REQUEST packet is sent to AAA server for certain service;

3. A REPONSE packet is sent back, indicating a pass or fail;

4. user access is granted or denied;

TACACS+ Accounting

follows the processes of authentication & authorization

maintains complete accounting information

used either for billing purposes of the services or for security reasons.

TACACS+ accounting also uses the two message types: a REQUEST and a REPONSE

TACACS+ Accounting Process Accounting Process

1. A resource request from user;

2. A REQUEST packet, including START, STOP, or CONTINUE, is sent to AAA server;

3. A RESPONSE packet is sent back, including SUCCESS, ERROR, or FOLLOW;

Vulnerabilities of TACACS+

Lack of Integrity Checking

No integrity checking exists in TACACS+ ‘MD5- encryption stream cipher’

mechanism is used. Make changes to accounting packets.

Example: Modifying elapsed time from 8000 to 1000

2) Vulnerability to replay attacks

No protection against replay attacks. TACACS+ session starts with sequence

number 1. Accounting sessions have only one packet. Duplicate accounting records can be

produced, with forged task_id fields.

3) Session ID collision More unique IDs the more stronger the encryption

is. Multiple sessions get the same ID, leading to

frequency analysis attack. Plaintext of one session know leads to decrypt the

other session with the same sequence and session ID.

TACACS+ server encrypts reply packet with own session ID.(Mostly when the sequence number of the packet is 2).

4) The Birthday paradox

Session IDs are too small. Leads to less unique IDs.

Example: 100, 000 TACAS+ sessions

20, 000 dial up sessions 1000 matches per moth Few 100 user passwords.

5) Lack of Padding

No padding in any fields or end of the packet.

Variable size data fields determined from the packet sizes.

Reveals the length of the user passwords.

6) MD5 Context Leak

Theoretical vulnerability MD5- like hashes(16 bytes long) should be

avoided. TACACS+ packets encrypted by XOR’ing the MD5

hashes. MD5_1=MD5(session_id, key, version, seq_no) MD5_2=MD5(session_id, key, version, seq_no,

MD5_1)

7) DoS and/or Overflow

Denial of Service – attempt to make resources unavailable to intended users.

Unlike others, it is an implementation defect. No sanity check Not check for an integer overflow in

calculating the total memory size to allocate.

FIXES

Apply Packet FilteringChoose Strong Encryption KeysAvoid running tac_plus as root.

Conclusion

TACACS+ is a Cisco Proprietary protocol facilitating AAA model in Cisco Devices.

It provides AAA communication between AAA client and AAA server.

It improves on TACACS and XTACACS by separating the authentication, authorization and accounting.

More preferred since it uses TCP- reliable protocol.

Reference [1] “The TACACS+ Protocol”, Version 1.78. by D.

Carrel, Lol Grant, Cisco Systems, January, 1997. http://tools.ietf.org/html/draft-grant-tacacs-02

[2] “TACACS+ Protocol”, Version 1.76. by D. Carrel, Lol Grant, Cisco Systems, October, 1996. http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt [3] Cisco Access Control Security: AAA Administrative Services, by Brandon Carroll. May 27, 2004

[4] “TACACS+ Authentication for HTTP Server Users” http://www.cisco.com/warp/public/480/http-2.html

[5] “TACACS+ and RADIUS Comparison”. http://www.cisco.com/warp/public/480/10.html

Q & A?

Thanks!