Upload
manavmehra13
View
222
Download
0
Embed Size (px)
Citation preview
8/7/2019 705 TCD WirelessSec
1/95
Security in Wireless System
Goals: understand principles of network security:
r cryptography and its manyuses beyondconfidentiality
r authenticationr message integrity
security in practice:r firewalls and intrusion detection systemsr security in application, transport, network, link
layers
8/7/2019 705 TCD WirelessSec
2/95
Security in Wireless System
What is network security? Principles of cryptography Message integrity Securing e-mail Securing TCP connections: SSL Case Study: SSH (Secure Shell)
8/7/2019 705 TCD WirelessSec
3/95
What is network security?
Confidentiality: only sender, intended receivershould understand message contentsr sender encrypts messager
receiver decrypts messageAuthentication: sender, receiver want to confirm
identity of each other
Message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards)without detection
Access and availability: services must be accessibleand available to users
8/7/2019 705 TCD WirelessSec
4/95
Friends and enemies: Alice, Bob, Trudy
well-known in network security world Bob, Alice (lovers!) want to communicate securely Trudy (intruder) may intercept, delete, add messages
secure
sender
secure
receiver
channel data, controlmessages
data data
Alice Bob
Trudy
8/7/2019 705 TCD WirelessSec
5/95
Who might Bob, Alice be?
well, real-lifeBobs and Alices! Web browser/server for electronic
transactions (e.g., on-line purchases)
on-line banking client/server DNS servers routers exchanging routing table updates other examples?
8/7/2019 705 TCD WirelessSec
6/95
There are bad guys (and girls) out there!
Q: What can a bad guy do?A: A lot! See section 1.6r eavesdrop:intercept messagesr actively insertmessages into connectionr
impersonation:can fake (spoof) source address inpacket (or any field in packet)r hijacking:take over ongoing connection by
removing sender or receiver, inserting himself inplace
r denial of service: prevent service from beingused by others (e.g., by overloading resources)
8/7/2019 705 TCD WirelessSec
7/95
Security in Wireless System
What is network security? Principles of cryptography Message integrity Securing e-mail Securing TCP connections: SSL Case Study: SSH (Secure Shell)
8/7/2019 705 TCD WirelessSec
8/95
8
The language of cryptography
m plaintext message
KA(m) ciphertext, encrypted with key KAm = KB(KA(m))
plaintext plaintextciphertext
KA
encryptionalgorithm
decryptionalgorithm
Alices
encryptionkey
Bobs
decryptionkey
KB
8/7/2019 705 TCD WirelessSec
9/95
9
Simple encryption scheme
substitution cipher: substituting one thing for anotherr monoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
Plaintext: bob. Howdy. alice
ciphertext: nkn. akrvw. mgsbc
E.g.:
Key: the mapping from the set of 26 letters to theset of 26 letters
8/7/2019 705 TCD WirelessSec
10/95
10
Polyalphabetic encryption
n monoalphabetic cyphers, M1,M2,,Mn Cycling pattern:
r e.g., n=4, M1,M3,M4,M3,M2; M1,M3,M4,M3,M2;
For each new plaintext symbol, usesubsequent monoalphabetic pattern incyclic patternr dog: d from M1, o from M3, g from M4
Key: the n ciphers and the cyclic pattern
8/7/2019 705 TCD WirelessSec
11/95
11
Breaking an encryption scheme
Cipher-text onlyattack: Trudy hasciphertext that shecan analyze
Two approaches:r Search through all
keys: must be able todifferentiate resulting
plaintext fromgibberishr Statistical analysis
Known-plaintext attack:trudy has some plaintextcorresponding to someciphertextr eg, in monoalphabetic
cipher, trudy determinespairings for a,l,i,c,e,b,o,
Chosen-plaintext attack:
trudy can get thecyphertext for somechosen plaintext
8/7/2019 705 TCD WirelessSec
12/95
12
Types of Cryptography
Crypto often uses keys:r Algorithm is known to everyoner Only keys are secret
Public key cryptographyr Involves the use of two keys Symmetric key cryptography
r Involves the use one key
Hash functionsr Involves the use of no keysr Nothing secret: How can this be useful?
8/7/2019 705 TCD WirelessSec
13/95
13
Symmetric key cryptography
symmetric key crypto: Bob and Alice share same(symmetric) key: K
e.g., key is knowing substitution pattern in monoalphabetic substitution cipher
Q: how do Bob and Alice agree on key value?
plaintextciphertext
K S
encryption
algorithm
decryption
algorithm
S
K S
plaintext
message, m K (m)S
m = KS(KS(m))
8/7/2019 705 TCD WirelessSec
14/95
14
Two types of symmetric ciphers
Stream ciphersr encrypt one bit at time
Block ciphersr Break plaintext message in equal-size blocksr Encrypt each block as a unit
8/7/2019 705 TCD WirelessSec
15/95
15
Stream Ciphers
Combine each bit of keystream with bit ofplaintext to get bit of ciphertext
m(i) = ith bit of message
ks(i) = ith bit of keystream c(i) = ith bit of ciphertext c(i) = ks(i) m(i) ( = exclusive or) m(i) = ks(i) c(i)
keystreamgeneratorkey keystream
pseudo random
8/7/2019 705 TCD WirelessSec
16/95
16
RC4 Stream Cipher
RC4 is a popular stream cipherr Extensively analyzed and considered goodr Key can be from 1 to 256 bytes
r Used in WEP for 802.11r Can be used in SSL
8/7/2019 705 TCD WirelessSec
17/95
17
Block ciphers
Message to be encrypted is processed in blocks ofk bits (e.g., 64-bit blocks).
1-to-1 mapping is used to map k-bit block of
plaintext to k-bit block of ciphertextExample with k=3:
input output000 110001 111010 101011 100
input output
100 011101 010110 000111 001
What is the ciphertext for 010110001111 ?
8/7/2019 705 TCD WirelessSec
18/95
18
Block ciphers
How many possible mappings are there for k=3?r How many 3-bit inputs?r How many permutations of the 3-bit inputs?r Answer: 40,320 ; not very many!
In general, 2k! mappings; huge for k=64 Problem:
r Table approach requires table with 264 entries, eachentry with 64 bits
Table too big: instead use function thatsimulates a randomly permuted table
8/7/2019 705 TCD WirelessSec
19/95
8/7/2019 705 TCD WirelessSec
20/95
20
Why rounds in prototype?
If only a single round, then one bit of inputaffects at most 8 bits of output.
In 2nd round, the 8 affected bits get
scattered and inputted into multiplesubstitution boxes.
How many rounds?r
How many times do you need to shuffle cardsr Becomes less efficient as n increases
8/7/2019 705 TCD WirelessSec
21/95
21
Encrypting a large message
Why not just break message in 64-bit blocks,encrypt each block separately?r If same block of plaintext appears twice, will give same
cyphertext.
How about:r Generate random 64-bit number r(i) for each plaintext
block m(i)r Calculate c(i) = KS( m(i) r(i) )r Transmit c(i), r(i), i=1,2,r At receiver: m(i) = KS(c(i)) r(i)r Problem: inefficient, need to send c(i) and r(i)
8/7/2019 705 TCD WirelessSec
22/95
22
Cipher Block Chaining (CBC)
CBC generates its own random numbersr Have encryption of current block depend on result of previous block
r c(i) = KS( m(i) c(i-1) )
r m(i) = KS( c(i)) c(i-1)
How do we encrypt first block?r Initialization vector (IV): random block = c(0)r IV does not have to be secret
Change IV for each message (or session)r Guarantees that even if the same message is sent repeatedly, the
ciphertext will be completely different each time
8/7/2019 705 TCD WirelessSec
23/95
Cipher Block Chaining
cipher block: if inputblock repeated, willproduce same ciphertext:
t=1 m(1) = HTTP/1.1 blockcipher
c(1) = k329aM02
cipher block chaining:XOR ith input block, m(i),with previous block ofcipher text, c(i-1)r c(0) transmitted to
receiver in clearr what happens in
HTTP/1.1 scenariofrom above?
+
m(i)
c(i)
t=17m(17) = HTTP/1.1 block
cipherc(17) = k329aM02
blockcipher
c(i-1)
8/7/2019 705 TCD WirelessSec
24/95
24
Symmetric key crypto: DES
DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64-bit plaintext input Block cipher with cipher block chaining
How secure is DES?r DES Challenge: 56-bit-key-encrypted phrase
decrypted (brute force) in less than a dayr No known good analytic attack
making DES more secure:r 3DES: encrypt 3 times with 3 different keys
(actually encrypt, decrypt, encrypt)
8/7/2019 705 TCD WirelessSec
25/95
25
Symmetric key
crypto: DES
initial permutation
16 identical rounds offunction application,each using different 48bits of key
final permutation
DES operation
8/7/2019 705 TCD WirelessSec
26/95
26
AES: Advanced Encryption Standard
new (Nov. 2001) symmetric-key NISTstandard, replacing DES
processes data in 128 bit blocks
128, 192, or 256 bit keys brute force decryption (try each key)
taking 1 sec on DES, takes 149 trillion
years for AES
8/7/2019 705 TCD WirelessSec
27/95
27
Public Key Cryptography
symmetrickey crypto requires sender,
receiver know sharedsecret key
Q: how to agree on keyin first place(particularly if nevermet)?
publickey cryptography radically different
approach [Diffie-Hellman76, RSA78]
sender, receiver donotshare secret key
publicencryption keyknown to all
privatedecryptionkey known only toreceiver
8/7/2019 705 TCD WirelessSec
28/95
28
Public key cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryptionalgorithm
Bobs publickey
plaintextmessageK (m)
B+
KB+
Bobs privatekey
KB-
m = K (K (m))B+
B-
8/7/2019 705 TCD WirelessSec
29/95
29
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
. .
given public key K , it should beimpossible to compute privatekey K B
B
Requirements:
1
2
RSA: Rivest, Shamir, Adelson algorithm
+ -
K (K (m)) = mBB- +
+
-
8/7/2019 705 TCD WirelessSec
30/95
30
Prerequisite: modular arithmetic
x mod n = remainder of x when divide by n Facts:
[(a mod n) + (b mod n)] mod n = (a+b) mod n
[(a mod n) - (b mod n)] mod n = (a-b) mod n[(a mod n) * (b mod n)] mod n = (a*b) mod n
Thus (a mod n)d mod n = ad mod n Example: x=14, n=10, d=2:
(x mod n)d mod n = 42 mod 10 = 6xd = 142 = 196 xd mod 10 = 6
8/7/2019 705 TCD WirelessSec
31/95
31
RSA: getting ready
A message is a bit pattern. A bit pattern can be uniquely represented by an
integer number.
Thus encrypting a message is equivalent toencrypting a number.
Example m= 10010001 . This message is uniquely
represented by the decimal number 145. To encrypt m, we encrypt the correspondingnumber, which gives a new number (thecyphertext).
8/7/2019 705 TCD WirelessSec
32/95
32
RSA: Creating public/private keypair
1. Choose two large prime numbers p, q.(e.g., 1024 bits each)
2. Compute n= pq, z = (p-1)(q-1)
3. Choose e(with e
8/7/2019 705 TCD WirelessSec
33/95
33
RSA: Encryption, decryption
0. Given (n,e) and (n,d) as computed above
1. To encrypt message m (
8/7/2019 705 TCD WirelessSec
34/95
34
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.e=5 (so e, z relatively prime).d=29(so ed-1exactly divisible by z).
bit pattern m me c = m mod ne
Letter l 12 24832 17
c m = c mod nd
17481968572106750915091411825223071697
12
cd
Alice encrypts:
Bob decrypts:
Bob makes n=35and e=5public (Public key)and he keeps d=29secret (Private key)
8/7/2019 705 TCD WirelessSec
35/95
35
Why does RSA work?
Must show that cd mod n = mwhere c = me mod n
Fact: for any x and y: xy mod n = x(y mod z) mod nr where n= pq and z = (p-1)(q-1)
Thus,cd mod n = (me mod n)d mod n
= med mod n
= m(ed mod z)
mod n(result of number theory)
= m1 mod n
= m
8/7/2019 705 TCD WirelessSec
36/95
36
RSA: another important property
The following property will be veryuseful later:
K (K (m)) = mBB
- +K (K (m))
BB+ -
=
use public keyfirst, followedby private key
use private keyfirst, followedby public key
Result is the same!
8/7/2019 705 TCD WirelessSec
37/95
37
Follows directly from modular arithmetic:
(me mod n)d mod n = med mod n
= mde mod n
= (md
mod n)e
mod n
K (K (m)) = mBB
- +K (K (m))
BB
+ -=Why ?
8/7/2019 705 TCD WirelessSec
38/95
38
Why is RSA Secure?
Suppose you know Bobs public key (n,e). How hard isit to determine d?
Essentially need to find factors of n without knowingthe two factors p and q.
Fact: factoring a big number is hard.
Generating RSA keys
Have to find big primes p and q Approach: make good guess then apply
testing rules (see Kaufman)
8/7/2019 705 TCD WirelessSec
39/95
39
Session keys
Exponentiation is computationally intensive DES is at least 100 times faster than RSA
Session key, KS Bob and Alice use RSA to exchange a
symmetric key KS Once both have KS, they use symmetric key
cryptography
8/7/2019 705 TCD WirelessSec
40/95
Security in Wireless System
What is network security? Principles of cryptography Message integrity Securing e-mail Securing TCP connections: SSL Case Study: SSH (Secure Shell)
8/7/2019 705 TCD WirelessSec
41/95
41
Message Integrity
Allows communicating parties to verify thatreceived messages are authentic.r Content of message has not been alteredr Source of message is who/what you think it isr
Message has not been replayedr Sequence of messages is maintained
Lets first talk about message digests
8/7/2019 705 TCD WirelessSec
42/95
Internet checksum: poor message
8/7/2019 705 TCD WirelessSec
43/95
43
Internet checksum: poor messagedigest
Internet checksum has some properties of hash function: produces fixed length digest (16-bit sum) of input is many-to-one
But given message with given hash value, it is easy to find anothermessage with same hash value.
Example: Simplified checksum: add 4-byte chunks at a time:
I O U 10 0 . 9
9 B O B
49 4F 55 3130 30 2E 39
39 42 D2 42
message ASCII format
B2 C1 D2 AC
I O U 9
0 0 . 1
9 B O B
49 4F 55 39
30 30 2E 31
39 42 D2 42
message ASCII format
B2 C1 D2 ACdifferent messagesbut identical checksums!
8/7/2019 705 TCD WirelessSec
44/95
44
Hash Function Algorithms
MD5 hash function widely used (RFC 1321)r computes 128-bit message digest in 4-step
process. SHA-1 is also used.
r US standard [NIST, FIPS PUB 180-1]r 160-bit message digest
8/7/2019 705 TCD WirelessSec
45/95
45
Message Authentication Code (MAC)
messag
e
H( )
s
message
messages
H( )
compare
s = shared secret
Authenticates sender Verifies message integrity No encryption ! Also called keyed hash Notation: MDm = H(s||m) ; send m||MDm
8/7/2019 705 TCD WirelessSec
46/95
46
HMAC
Popular MAC standard Addresses some subtle security flaws
1. Concatenates secret to front of message.2. Hashes concatenated message
3. Concatenates the secret to front of
digest4. Hashes the combination again.
8/7/2019 705 TCD WirelessSec
47/95
47
Example: OSPF
Recall that OSPF is anintra-AS routingprotocol
Each router creates
map of entire AS (orarea) and runsshortest pathalgorithm over map.
Router receives link-state advertisements(LSAs) from all otherrouters in AS.
Attacks: Message insertion Message deletion
Message modification
How do we know if anOSPF message is
authentic?
8/7/2019 705 TCD WirelessSec
48/95
48
OSPF Authentication
Within an AutonomousSystem, routers sendOSPF messages to eachother.
OSPF providesauthentication choicesr No authenticationr Shared password:
inserted in clear in 64-bit authentication fieldin OSPF packet
r Cryptographic hash
Cryptographic hashwith MD5r 64-bit authentication
field includes 32-bit
sequence numberr MD5 is run over a
concatenation of theOSPF packet andshared secret key
r MD5 hash thenappended to OSPFpacket; encapsulated inIP datagram
8/7/2019 705 TCD WirelessSec
49/95
End-point authentication
Want to be sure of the originator of themessage end-point authentication.
Assuming Alice and Bob have a shared
secret, will MAC provide end-pointauthentication.r We do know that Alice created the message.r But did she send it?
49
8/7/2019 705 TCD WirelessSec
50/95
MACTransfer $1Mfrom Bill to Trudy
MACTransfer $1M fromBill to Trudy
Playback attack
MAC =f(msg,s)
8/7/2019 705 TCD WirelessSec
51/95
I am Alice
R
MACTransfer $1Mfrom Bill to Susan
MAC =f(msg,s,R)
Defending against playbackattack: nonce
8/7/2019 705 TCD WirelessSec
52/95
52
Digital Signatures
Cryptographic technique analogous to hand-written signatures.
sender (Bob) digitally signs document,
establishing he is document owner/creator. Goal is similar to that of a MAC, except now use
public-key cryptography verifiable, nonforgeable: recipient (Alice) can
prove to someone that Bob, and no one else(including Alice), must have signed document
8/7/2019 705 TCD WirelessSec
53/95
53
Digital Signatures
Simple digital signature for message m: Bob signs m by encrypting with his private key
KB, creating signed message, KB(m)--
Dear Alice
Oh, how I havemissed you. I think ofyou all the time! (blah blah blah)
Bob
Bobs message, m
Public keyencryptionalgorithm
Bobs privatekeyKB-
Bobs message,m, signed
(encrypted) withhis private key
KB-(m)
Di i l i i d di
8/7/2019 705 TCD WirelessSec
54/95
54
largemessage
mH: Hashfunction H(m)
digitalsignature(encrypt)
Bobsprivate
key KB-
+
Bob sends digitally signedmessage:
Alice verifies signature and
integrity of digitally signedmessage:
KB(H(m))-
encrypted
msg digest
KB(H(m))
-
encryptedmsg digest
largemessage
m
H: Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobspublic
key KB+
equal?
Digital signature = signed message digest
8/7/2019 705 TCD WirelessSec
55/95
55
Digital Signatures (more)
Suppose Alice receives msg m, digital signature KB(m)
Alice verifies m signed by Bob by applying Bobs public key KB to
KB(m) then checks KB(KB(m) ) = m.
If KB(KB(m) ) = m, whoever signed m must have used Bobs private
key.
+ +
-
-
- -
+
Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not m.
Non-repudiation: Alice can take m, and signature KB(m) to court and prove that Bob
signed m.-
8/7/2019 705 TCD WirelessSec
56/95
56
Public-key certification
Motivation: Trudy plays pizza prank on Bobr Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me fourpepperoni pizzas. Thank you, Bob
r Trudy signs order with her private keyr Trudy sends order to Pizza Storer Trudy sends to Pizza Store her public key, but says
its Bobs public key.
r Pizza Store verifies signature; then delivers fourpizzas to Bob.
r Bob doesnt even like Pepperoni
8/7/2019 705 TCD WirelessSec
57/95
57
Certification Authorities
Certification authority (CA): binds public key toparticular entity, E. E (person, router) registers its public key with CA.
r E provides proof of identity to CA.r
CA creates certificate binding E to its public key.r certificate containing Es public key digitally signed by CA
CA says this is Es public key
Bobspublic
key KB+
Bobsidentifying
information
digitalsignature
(encrypt)
CAprivate
key KCA-
KB
+
certificate forBobs public key,
signed by CA
8/7/2019 705 TCD WirelessSec
58/95
58
Certification Authorities
When Alice wants Bobs public key:r gets Bobs certificate (Bob or elsewhere).r apply CAs public key to Bobs certificate, get
Bobs public key
Bobspublic
keyKB+
digitalsignature(decrypt)
CA
publickey
KCA+
KB+
8/7/2019 705 TCD WirelessSec
59/95
59
Certificates: summary
Primary standard X.509 (RFC 2459) Certificate contains:
r Issuer name
r Entity name, address, domain name, etc.r Entitys public keyr Digital signature (signed with issuers private
key)
Public-Key Infrastructure (PKI)r Certificates and certification authoritiesr Often considered heavy
8/7/2019 705 TCD WirelessSec
60/95
Chapter 8 roadmap
8.1 What is network security?
8.2 Principles of cryptography
8.3 Message integrity
8.4 Securing e-mail8.5 Securing TCP connections: SSL
Case Study: SSH (Secure Shell)
8/7/2019 705 TCD WirelessSec
61/95
Secure e-mail
Alice: generates random symmetricprivate key, KS. encrypts message with KS (for efficiency) also encrypts KS with Bobs public key. sends both K
S
(m) and KB
(KS
) to Bob.
Alice wants to send confidential e-mail, m, to Bob.
KS( ).
KB( ).+
+ -
KS(m )
KB(KS )+
m
KS
KS
KB+
Internet
KS( ).
KB( ).-
KB-
KS
mKS(m )
KB(KS )+
8/7/2019 705 TCD WirelessSec
62/95
Secure e-mail
Bob: uses his private key to decrypt and recover KS uses KS to decrypt KS(m) to recover m
Alice wants to send confidential e-mail, m, to Bob.
KS( ).
KB( ).+
+ -
KS(m )
KB(KS )+
m
KS
KS
KB+
Internet
KS( ).
KB( ).-
KB-
KS
mKS(m )
KB(KS )+
8/7/2019 705 TCD WirelessSec
63/95
Secure e-mail (continued)
Alice wants to provide sender authentication messageintegrity.
Alice digitally signs message. sends both message (in the clear) and digital signature.
H( ). KA( ).-+ -
H(m )K
A(H(m))
-
m
KA-
Internet
m
KA( ).+
KA+
KA(H(m))
-
mH( ). H(m )
compare
8/7/2019 705 TCD WirelessSec
64/95
Secure e-mail (continued) Alice wants to provide secrecy, sender authentication,
message integrity.
Alice uses three keys: her private key, Bobs public key, newlycreated symmetric key
H( ). KA( ).-
+
KA(H(m))-
m
KA-
m
KS( ).
KB( ).+
+
KB(KS )+
KS
KB+
Internet
KS
8/7/2019 705 TCD WirelessSec
65/95
Chapter 8 roadmap
8.1 What is network security?
8.2 Principles of cryptography
8.3 Message integrity
8.4 Securing e-mail8.5 Securing TCP connections: SSL
Case Study: SSH (Secure Shell)
8/7/2019 705 TCD WirelessSec
66/95
66
SSL: Secure Sockets Layer
Widely deployed securityprotocolr Supported by almost all
browsers and web serversr httpsr Tens of billions $ spent
per year over SSL Originally designed by
Netscape in 1993 Number of variations:
r TLS: transport layersecurity, RFC 2246
Providesr Confidentialityr Integrityr Authentication
Original goals:r Had Web e-commerce
transactions in mindr Encryption (especially
credit-card numbers)r Web-server
authenticationr Optional clientauthentication
r Minimum hassle in doingbusiness with newmerchant
Available to all TCPapplicationsr Secure socket interface
8/7/2019 705 TCD WirelessSec
67/95
67
SSL and TCP/IP
Application
TCP
IP
Normal Application
Application
SSL
TCP
IP
Applicationwith SSL
SSL provides application programming interface (API)to applications C and Java SSL libraries/classes readily available
Could do something like PGP:
8/7/2019 705 TCD WirelessSec
68/95
68
Could do something like PGP:
But want to send byte streams & interactive dataWant a set of secret keys for the entire connection Want certificate exchange part of protocol:
handshake phase
H( ). KA( ).-
+
KA(H(m))
-m
KA-
m
KS( ).
KB( ).+
+
KB(KS )+
KS
KB+
Internet
KS
8/7/2019 705 TCD WirelessSec
69/95
69
Toy SSL: a simple secure channel
Handshake: Alice and Bob use theircertificates and private keys toauthenticate each other and exchange
shared secret Key Derivation: Alice and Bob use shared
secret to derive set of keys Data Transfer: Data to be transferred is
broken up into a series of records Connection Closure: Special messages to
securely close connection
8/7/2019 705 TCD WirelessSec
70/95
70
Toy: A simple handshake
MS = master secret
EMS = encrypted master secret
SSLhello
CertificateofAlicespublic
keyKA+
KA+
(MS)=EMSCreate Master
Secret (MS) Decrypt EMS with KA-
to get MS
8/7/2019 705 TCD WirelessSec
71/95
71
Toy: Key derivation
Considered bad to use same key for more than onecryptographic operationr Use different keys for message authentication code
(MAC) and encryption
Four keys:r Kc = encryption key for data sent from client to server
r Mc = MAC key for data sent from client to server
r Ks = encryption key for data sent from server to client
r Ms = MAC key for data sent from server to client Keys derived from key derivation function (KDF)
r Takes master secret and (possibly) some additionalrandom data and creates the keys
Toy: Data Records
8/7/2019 705 TCD WirelessSec
72/95
72
Toy: Data Records Why not encrypt data in constant stream as we
write it to TCP?r Where would we put the MAC? If at end, no messageintegrity until all data processed.
r For example, with instant messaging, how can we dointegrity check over all bytes sent before displaying?
Instead, break stream in series of recordsr Each record carries a MACr Receiver can act on each record as it arrives
Issue: in record, receiver needs to distinguishMAC from datar Want to use variable-length records
length data MAC
8/7/2019 705 TCD WirelessSec
73/95
73
Toy: Sequence Numbers
Attacker can capture and replay record orre-order records
Solution: put sequence number into MAC:
r MAC = MAC(Mx, sequence number||data)r Note: no sequence number field
Attacker could still replay all of therecordsr Use random nonce
l f
8/7/2019 705 TCD WirelessSec
74/95
74
Toy: Control information
Truncation attack:r attacker forges TCP connection close segmentr One or both sides thinks there is less data than
there actually is.
Solution: record types, with one type forclosurer type 0 for data; type 1 for closure
MAC = MAC(Mx, sequence||type number||data)
length type data MAC
Toy SSL: summary
8/7/2019 705 TCD WirelessSec
75/95
75
Toy SSL: summary
hello
certificate,nonce
KB+(MS)=EMS
type0,seq1,datatype0,seq2,data
type0,seq1,data
type0,seq3,data
type1,seq4,close
type1,seq2,close
en
crypted
bob.com
T L i l
8/7/2019 705 TCD WirelessSec
76/95
76
Toy SSL isnt complete
How long are the fields? What encryption protocols? No negotiation
r Allow client and server to support differentencryption algorithms
r Allow client and server to choose togetherspecific algorithm before data transfer
Most common symmetric ciphers in
8/7/2019 705 TCD WirelessSec
77/95
77
Most common symmetric ciphers inSSL
DES Data Encryption Standard: block 3DES Triple strength: block RC2 Rivest Cipher 2: block
RC4 Rivest Cipher 4: stream
Public key encryption
RSA
SSL Ci h S i
8/7/2019 705 TCD WirelessSec
78/95
78
SSL Cipher Suite
Cipher Suiter Public-key algorithmr Symmetric encryption algorithmr
MAC algorithm SSL supports a variety of cipher suites Negotiation: client and server must agree
on cipher suite Client offers choice; server picks one
R l SSL H d h k (1)
8/7/2019 705 TCD WirelessSec
79/95
79
Real SSL: Handshake (1)
Purpose1. Server authentication
2. Negotiation: agree on crypto algorithms
3. Establish keys4. Client authentication (optional)
R l SSL H d h k (2)
8/7/2019 705 TCD WirelessSec
80/95
80
Real SSL: Handshake (2)
1. Client sends list of algorithms it supports, along withclient nonce2. Server chooses algorithms from list; sends back:
choice + certificate + server nonce3. Client verifies certificate, extracts servers public
key, generates pre_master_secret, encrypts withservers public key, sends to server4. Client and server independently compute encryption
and MAC keys from pre_master_secret and nonces5. Client sends a MAC of all the handshake messages6. Server sends a MAC of all the handshake messages
8/7/2019 705 TCD WirelessSec
81/95
R l SSL H d h ki (4)
8/7/2019 705 TCD WirelessSec
82/95
82
Real SSL: Handshaking (4)
Why the two random nonces? Suppose Trudy sniffs all messages between
Alice & Bob. Next day, Trudy sets up TCP connection with
Bob, sends the exact same sequence ofrecords,.r Bob (Amazon) thinks Alice made two separate
orders for the same thing.
r Solution: Bob sends different random nonce foreach connection. This causes encryption keys to bedifferent on the two days.
r Trudys messages will fail Bobs integrity check.
SSL Record Protocol
8/7/2019 705 TCD WirelessSec
83/95
83
SSL Record Protocol
data
data
fragment
data
fragmentMAC MAC
encrypteddata and MAC
encrypteddata and MAC
recordheader
recordheader
record header: content type; version; length
MAC: includes sequence number, MAC key Mx
Fragment: each SSL fragment 214 bytes (~16 Kbytes)
SSL Record Format
8/7/2019 705 TCD WirelessSec
84/95
84
SSL Record Format
contenttype SSL version length
MAC
data
1 byte 2 bytes 3 bytes
Data and MAC encrypted (symmetric algo)
handshake:ClientHelloReal
8/7/2019 705 TCD WirelessSec
85/95
85
handshake:ServerHe
llo
handshake:Certifica
te
handshake:ServerHelloDone
handshake:ClientKeyExchangeChangeCipherSpec
handshake:Finished
ChangeCipherSpec
handshake:Finished
application_data
application_data
Alert:warning,close_notify
Connection
TCP Fin follow
Everythinghenceforthis encrypted
K d i ti
8/7/2019 705 TCD WirelessSec
86/95
86
Key derivation
Client nonce, server nonce, and pre-master secretinput into pseudo random-number generator.r Produces master secret
Master secret and new nonces inputed into
another random-number generator: key blockr Because of resumption: TBD Key block sliced and diced:
r client MAC keyr server MAC key
r client encryption keyr server encryption keyr client initialization vector (IV)r server initialization vector (IV)
Ch t 8 dm
8/7/2019 705 TCD WirelessSec
87/95
Chapter 8 roadmap
8.1 What is network security?
8.2 Principles of cryptography
8.3 Message integrity
8.4 Securing e-mail8.5 Securing TCP connections: SSL
Case Study: SSH (Secure Shell)
Case Study: SSH (Secure Shell)
8/7/2019 705 TCD WirelessSec
88/95
ase Study SSH (Secure Shell) Secure remote session
r Encrypted connection, secret per session key (Diffie-Hellman)r Port 22r Used instead of telnet
Authentication optionsr
Encrypted passwordr Preinstalled public key
Tunnels and port redirectionr Redirect the connections of other applicationsr Automatic redirection of X connections -> secure access of
remote GUI
88
Back to SSH: Architecture
8/7/2019 705 TCD WirelessSec
89/95
H u
TCP TCP
ssh-trans ssh-trans
ssh-userauth ssh-userauth
ssh-connect ssh-connect
ssh-trans server authentication, confidentiality, integrity
ssh-userauth authenticates the client-side user
ssh-connect multiplexes the encrypted tunnel into several
logical channels (enables port redirection)89
8/7/2019 705 TCD WirelessSec
90/95
ssh-trans
8/7/2019 705 TCD WirelessSec
91/95
Confidentialityr data encrypted using a one-time secret session key
Key exchange phaser Diffie-Hellman method to create a secret key K
Encryptionr symmetric encryption using Kr several ciphers can be used
Integrityr MAC (Message Authentication Code) included with each
packetr computed from the shared secret key, packet sequence
number, the contents of the packet91
ssh-userauth
8/7/2019 705 TCD WirelessSec
92/95
Passwordr username, password on the remote system
Public key authenticationr user generates a pair of keys: public + secretr
public key stored on the remote system (fileauthorized_keys)r authentication request
signature by the secret key over (session-id, username)
the signature verifed on the server by the public key
92
ssh-connect
8/7/2019 705 TCD WirelessSec
93/95
Multiple channels multiplexed into a single connection at
the ssh-trans level Channels identified by numbers on each end Channels are individually flow-controlled
r window size - amount of data to send
93
SSH: Summary
8/7/2019 705 TCD WirelessSec
94/95
y
Excellent securityr Encryptionr Two-way authenticationr Should be used instead of telnet/rlogin
Integration with other applicationsr Through tunnelingr E-mail, X-windows,...
94
Network Security (summary)
8/7/2019 705 TCD WirelessSec
95/95
Network Security (summary)
Basic techniques...r cryptography (symmetric and public)r message integrityr end-point authentication
. used in many different security scenariosr secure emailr secure transport (SSL)
A case study: SSH
Network security is crucial. A full, mandatory course isdevoted to it in the 3rd year of Bachelor.