View
221
Download
3
Category
Tags:
Preview:
Citation preview
Web surfing
DNS server
Web server
Internetyahoo
IP o
f yah
oo?
IP of yahoo?
1.2.3.41.
2.3.
4
Get index.htm from 1.2.3.4
Response from 1.2.3.4
URL spoofing
• Hyperlinks in malicious emails and web pages • www.paypa1.com v.s. www.paypal.com• What web is referred by this link?
http://www.kau.se@0x82EE0716/index.php• Dotless IP address:
– http://130.238.7.22– http://0x82EE0716/– http://www.kau.se@0x82EE0716/– http://www.kau.se@0x82EE0716/index.php
X.509 certificate
• Based on public key cryptography and digital signatures
• CA: certification authority
Unsigned certificate
H
Hash algorithm
Hash digest
E
signature
signed certificate
CA’s private key
Sign algorithm
Verification
• Others can use the CA’s public key to verify the signature
Unsigned certificate
H
Hash algorithm
Hash digest
D
signaturesigned certificate
CA’s public key
Compare
Validating a Certificate
• Metaphor (1): – CA: Karlstad university– Certificate owner: the students
(who get their master degree)– Verifier: employers
• Metaphor (2): – CA1: Swedish Ministry of
Education – CA2: Karlstad University
CA
Certificate ownerVerifier
issue
trust
CA 1
issue
CA 3CA 2
issu
e
CA 4
issu
e
Validating a Certificate
• Must recognize accepted CA in certificate chain– One CA may issue certificate for another CA
• Must verify that certificate has not been revoked– CA publishes Certificate Revocation List
(CRL)
• Self-signed certificate?
Man-in-the-middle attacks (by malicious intermediaries)
• Read the content of HTTP traffics– Your password (even hashed?)
• Modify the content of HTTP traffics– Transfer money from your account to the
attacker.
• …
Brief History of SSL/TLS
• SSLv2– Released in 1995 with Netscape 1.1– Key generation algorithm kept secret– Reverse engineered & broken by Wagner & Goldberg
• SSLv3– Fixed and improved, released in 1996– Public design process
• TLS: IETF’s version; the current standard
SSL/TLS Overview
• Establish a session (handshake layer)– Agree on algorithms– Share secrets– Perform authentication
• Transfer application data (record layer)– Ensure confidentiality and integrity
SSL Architecture
• Record Protocol: Message encryption/authentication• Handshake P.: Identity authentication & key exchange• Alert P.: Error notification (cryptographic or otherwise)• Change Cipher P.: Activate the pending crypto suite
IP
TCP
SSL Record Protocol
HTTP,etc.
SSL AlertProtocol
SSL Change CipherSpec. Protocol
SSL HandshakeProtocol
SSL Handshake Protocol
• Two parties: client and server
• Negotiate version of the protocol and the set of cryptographic algorithms to be used– Interoperability between different implementations of
the protocol
• Authenticate client and server (optional)– Use digital certificates to learn each other’s public
keys and verify each other’s identity
• Use public keys to establish a shared secret
Handshake Protocol (1)
• Client_hello: version, random, session id, cipher suite, compression method
• Server_hello: version, random, session id, cipher suite, compression method
Client Server
Client_hello
Server_hello
Handshake Protocol (2)
• Certificate: X.509 certificate chain
• Server_key_exchange: parameters, signature
• Certificate_request: type, authorities
• Server_hello_done: null
Client Server
Client_hello
Server_hello
Certificate
Server_key_exchange
Certificate_request
Server_hello_done
Handshake Protocol (3)
• Certificate: X.509 certificate chain
• Client_key_exchange: parameters, signature
• Certificate_verify: signature
Client Server
Client_hello
Server_hello
Certificate
Server_key_exchange
Certificate_request
Server_hello_done
CertificateClient_key_exchange
Certificate_verify
Handshake Protocol (4)
• Change_cipher_spec: a single message, which consists of a single byte with value 1.
• Finished: hash value
Client Server
Client_hello
Server_hello
Certificate
Server_key_exchange
Certificate_request
Server_hello_done
CertificateClient_key_exchange
Certificate_verify
Change_cipher_specFinished
Change_cipher_spec
Finished
SSL Encryption
• Master secret– Generated by both parties from premaster
secret and random values generated by both client and server
• Key material– Generated from the master secret and
shared random values• Encryption keys
– Extracted from the key material
SSL Record Protocol
Data (optionally compressed)
MAC (0,16, or 20 bytes)
Content type
Major version
Minor version
Length
Alerts and Closure
• Alert the other side of exceptions– Unexpected message– Bad record mac– Handshake failure– Illegal parameter– Bad certificate– …
• 2 levels– Warning– fatal
SSL Overhead
• 2-10 times slower than a TCP session
• Where do we lose time– Handshake phase
• Calculating the key materials
– Data Transfer phase• Symmetric key encryption
TLS/SSL Applications
• HTTP -> HTTPS
• Telnet -> SSH
• FTP -> SFTP
• SIP -> SIPS
• Resources: http://www.openssl.org/related/apps.html
Homework
• Visit a web site with HTTPS
• Use wireshark to capture the traffics
• Read the parsed traffics, especially pay attention on the handshake protocol.
The Domain Name System
• A database implemented by many name servers (NS)– Distributed– Replicated– Hierarchical
.
com. se. edu.
cmu.edu..kau.se
cs.kau.se.
ftp.cs.kau.se.www.cs.kau.se.
Authoritative Servers
• Authoritative DNS servers– An organization’s DNS servers, providing
authoritative information for organization’s servers
– Can be maintained by organization or service provider
DNS Query and Response
local DNS Server
End-user
www.kau.se A?
www.kau.se A 193.10.226.10
Root DNS Server
se DNS Server
kau.se DNS Server
Cache:www.kau.se A 193.10.226.10
www.kau.se A?
www.kau.se A
193.10.226.10
www.kau.se A
193.10.226.10
DNS Vulnerabilities
• No authentication.
– DNS_response.ID == DNS_request.ID ? (16 bit length)
– DNS_response.dport == DNS_request.dport?
• Significance: DNS is widely used in
– Web
– VoIP
– …
A Simple DNS Attack
local DNS Server
User’s Laptop
www.seb.se A?
www.seb.se A attacker_IP
Root DNS Server
se DNS Server
seb.se DNS Server
Attacker’s Laptop
Easy to observe UDP DNS query sent to well known server on well known port.
www.seb.se A 129.178.89.80
First response wins. Second response is silently dropped on the floor.
A cache poisoning Attack
local DNS Server
User’s Laptop
seb.se DNS ServerAttacker
www.seb.se
A?
ww
w.s
eb.s
e A
at
tack
er_I
P
Wit
h d
iffe
ren
t ID
s
Cached a bad record:www.seb.se A attacker_IP
www.seb.se A?
www.seb.se A attacker_IP
www.seb.se A? with
different IDs
A More Complex Attack
ns.attacker.com
kau Caching Server
Remote attacker
Query www.attacker.com
Response www.attacker.com A 128.9.128.127 attacker.com NS ns.attacker.com attacker.com NS www.seb.se ns.attacker.com A 128.9.128.2 www.seb.se A 128.9.128.127
Any kau Computer
Query www.seb.se
www.seb.se= 128.9.128.127
Question
• Is SSL/TLS useful to counteract these DNS attacks? Why?
• Homewrok:– Read RFC 2535 about DNSSec– http://www.faqs.org/rfcs/rfc2535.html
Recommended