705 TCD WirelessSec

8/7/2019 705 TCD WirelessSec

1/95

Security in Wireless System

Goals: understand principles of network security:

r cryptography and its manyuses beyondconfidentiality

r authenticationr message integrity

security in practice:r firewalls and intrusion detection systemsr security in application, transport, network, link

layers


2/95


What is network security? Principles of cryptography Message integrity Securing e-mail Securing TCP connections: SSL Case Study: SSH (Secure Shell)


3/95

What is network security?

Confidentiality: only sender, intended receivershould understand message contentsr sender encrypts messager

receiver decrypts messageAuthentication: sender, receiver want to confirm

identity of each other

Message integrity: sender, receiver want to ensure

message not altered (in transit, or afterwards)without detection

Access and availability: services must be accessibleand available to users


4/95

Friends and enemies: Alice, Bob, Trudy

well-known in network security world Bob, Alice (lovers!) want to communicate securely Trudy (intruder) may intercept, delete, add messages

secure

sender

secure

receiver

channel data, controlmessages

data data

Alice Bob

Trudy


5/95

Who might Bob, Alice be?

well, real-lifeBobs and Alices! Web browser/server for electronic

transactions (e.g., on-line purchases)

on-line banking client/server DNS servers routers exchanging routing table updates other examples?


6/95

There are bad guys (and girls) out there!

Q: What can a bad guy do?A: A lot! See section 1.6r eavesdrop:intercept messagesr actively insertmessages into connectionr

impersonation:can fake (spoof) source address inpacket (or any field in packet)r hijacking:take over ongoing connection by

removing sender or receiver, inserting himself inplace

r denial of service: prevent service from beingused by others (e.g., by overloading resources)


7/95




8/95

8

The language of cryptography

m plaintext message

KA(m) ciphertext, encrypted with key KAm = KB(KA(m))

plaintext plaintextciphertext

KA

encryptionalgorithm

decryptionalgorithm

Alices

encryptionkey

Bobs

decryptionkey

KB


9/95

9

Simple encryption scheme

substitution cipher: substituting one thing for anotherr monoalphabetic cipher: substitute one letter for another

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

Plaintext: bob. Howdy. alice

ciphertext: nkn. akrvw. mgsbc

E.g.:

Key: the mapping from the set of 26 letters to theset of 26 letters


10/95

10

Polyalphabetic encryption

n monoalphabetic cyphers, M1,M2,,Mn Cycling pattern:

r e.g., n=4, M1,M3,M4,M3,M2; M1,M3,M4,M3,M2;

For each new plaintext symbol, usesubsequent monoalphabetic pattern incyclic patternr dog: d from M1, o from M3, g from M4

Key: the n ciphers and the cyclic pattern


11/95

11

Breaking an encryption scheme

Cipher-text onlyattack: Trudy hasciphertext that shecan analyze

Two approaches:r Search through all

keys: must be able todifferentiate resulting

plaintext fromgibberishr Statistical analysis

Known-plaintext attack:trudy has some plaintextcorresponding to someciphertextr eg, in monoalphabetic

cipher, trudy determinespairings for a,l,i,c,e,b,o,

Chosen-plaintext attack:

trudy can get thecyphertext for somechosen plaintext


12/95

12

Types of Cryptography

Crypto often uses keys:r Algorithm is known to everyoner Only keys are secret

Public key cryptographyr Involves the use of two keys Symmetric key cryptography

r Involves the use one key

Hash functionsr Involves the use of no keysr Nothing secret: How can this be useful?


13/95

13

Symmetric key cryptography

symmetric key crypto: Bob and Alice share same(symmetric) key: K

e.g., key is knowing substitution pattern in monoalphabetic substitution cipher

Q: how do Bob and Alice agree on key value?

plaintextciphertext

K S

encryption

algorithm

decryption

algorithm

S

K S

plaintext

message, m K (m)S

m = KS(KS(m))


14/95

14

Two types of symmetric ciphers

Stream ciphersr encrypt one bit at time

Block ciphersr Break plaintext message in equal-size blocksr Encrypt each block as a unit


15/95

15

Stream Ciphers

Combine each bit of keystream with bit ofplaintext to get bit of ciphertext

m(i) = ith bit of message

ks(i) = ith bit of keystream c(i) = ith bit of ciphertext c(i) = ks(i) m(i) ( = exclusive or) m(i) = ks(i) c(i)

keystreamgeneratorkey keystream

pseudo random


16/95

16

RC4 Stream Cipher

RC4 is a popular stream cipherr Extensively analyzed and considered goodr Key can be from 1 to 256 bytes

r Used in WEP for 802.11r Can be used in SSL


17/95

17

Block ciphers

Message to be encrypted is processed in blocks ofk bits (e.g., 64-bit blocks).

1-to-1 mapping is used to map k-bit block of

plaintext to k-bit block of ciphertextExample with k=3:

input output000 110001 111010 101011 100

input output

100 011101 010110 000111 001

What is the ciphertext for 010110001111 ?


18/95

18

Block ciphers

How many possible mappings are there for k=3?r How many 3-bit inputs?r How many permutations of the 3-bit inputs?r Answer: 40,320 ; not very many!

In general, 2k! mappings; huge for k=64 Problem:

r Table approach requires table with 264 entries, eachentry with 64 bits

Table too big: instead use function thatsimulates a randomly permuted table


19/95


20/95

20

Why rounds in prototype?

If only a single round, then one bit of inputaffects at most 8 bits of output.

In 2nd round, the 8 affected bits get

scattered and inputted into multiplesubstitution boxes.

How many rounds?r

How many times do you need to shuffle cardsr Becomes less efficient as n increases


21/95

21

Encrypting a large message

Why not just break message in 64-bit blocks,encrypt each block separately?r If same block of plaintext appears twice, will give same

cyphertext.

How about:r Generate random 64-bit number r(i) for each plaintext

block m(i)r Calculate c(i) = KS( m(i) r(i) )r Transmit c(i), r(i), i=1,2,r At receiver: m(i) = KS(c(i)) r(i)r Problem: inefficient, need to send c(i) and r(i)


22/95

22

Cipher Block Chaining (CBC)

CBC generates its own random numbersr Have encryption of current block depend on result of previous block

r c(i) = KS( m(i) c(i-1) )

r m(i) = KS( c(i)) c(i-1)

How do we encrypt first block?r Initialization vector (IV): random block = c(0)r IV does not have to be secret

Change IV for each message (or session)r Guarantees that even if the same message is sent repeatedly, the

ciphertext will be completely different each time


23/95

Cipher Block Chaining

cipher block: if inputblock repeated, willproduce same ciphertext:

t=1 m(1) = HTTP/1.1 blockcipher

c(1) = k329aM02

cipher block chaining:XOR ith input block, m(i),with previous block ofcipher text, c(i-1)r c(0) transmitted to

receiver in clearr what happens in

HTTP/1.1 scenariofrom above?

+

m(i)

c(i)

t=17m(17) = HTTP/1.1 block

cipherc(17) = k329aM02

blockcipher

c(i-1)


24/95

24

Symmetric key crypto: DES

DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64-bit plaintext input Block cipher with cipher block chaining

How secure is DES?r DES Challenge: 56-bit-key-encrypted phrase

decrypted (brute force) in less than a dayr No known good analytic attack

making DES more secure:r 3DES: encrypt 3 times with 3 different keys

(actually encrypt, decrypt, encrypt)


25/95

25

Symmetric key

crypto: DES

initial permutation

16 identical rounds offunction application,each using different 48bits of key

final permutation

DES operation


26/95

26

AES: Advanced Encryption Standard

new (Nov. 2001) symmetric-key NISTstandard, replacing DES

processes data in 128 bit blocks

128, 192, or 256 bit keys brute force decryption (try each key)

taking 1 sec on DES, takes 149 trillion

years for AES


27/95

27

Public Key Cryptography

symmetrickey crypto requires sender,

receiver know sharedsecret key

Q: how to agree on keyin first place(particularly if nevermet)?

publickey cryptography radically different

approach [Diffie-Hellman76, RSA78]

sender, receiver donotshare secret key

publicencryption keyknown to all

privatedecryptionkey known only toreceiver


28/95

28

Public key cryptography

plaintextmessage, m

ciphertextencryptionalgorithm

decryptionalgorithm

Bobs publickey

plaintextmessageK (m)

B+

KB+

Bobs privatekey

KB-

m = K (K (m))B+

B-


29/95

29

Public key encryption algorithms

need K ( ) and K ( ) such thatB B

. .

given public key K , it should beimpossible to compute privatekey K B

B

Requirements:

1

2

RSA: Rivest, Shamir, Adelson algorithm

+ -

K (K (m)) = mBB- +

+

-


30/95

30

Prerequisite: modular arithmetic

x mod n = remainder of x when divide by n Facts:

[(a mod n) + (b mod n)] mod n = (a+b) mod n

[(a mod n) - (b mod n)] mod n = (a-b) mod n[(a mod n) * (b mod n)] mod n = (a*b) mod n

Thus (a mod n)d mod n = ad mod n Example: x=14, n=10, d=2:

(x mod n)d mod n = 42 mod 10 = 6xd = 142 = 196 xd mod 10 = 6


31/95

31

RSA: getting ready

A message is a bit pattern. A bit pattern can be uniquely represented by an

integer number.

Thus encrypting a message is equivalent toencrypting a number.

Example m= 10010001 . This message is uniquely

represented by the decimal number 145. To encrypt m, we encrypt the correspondingnumber, which gives a new number (thecyphertext).


32/95

32

RSA: Creating public/private keypair

1. Choose two large prime numbers p, q.(e.g., 1024 bits each)

2. Compute n= pq, z = (p-1)(q-1)

3. Choose e(with e


33/95

33

RSA: Encryption, decryption

0. Given (n,e) and (n,d) as computed above

1. To encrypt message m (


34/95

34

RSA example:

Bob chooses p=5, q=7. Then n=35, z=24.e=5 (so e, z relatively prime).d=29(so ed-1exactly divisible by z).

bit pattern m me c = m mod ne

Letter l 12 24832 17

c m = c mod nd

17481968572106750915091411825223071697

12

cd

Alice encrypts:

Bob decrypts:

Bob makes n=35and e=5public (Public key)and he keeps d=29secret (Private key)


35/95

35

Why does RSA work?

Must show that cd mod n = mwhere c = me mod n

Fact: for any x and y: xy mod n = x(y mod z) mod nr where n= pq and z = (p-1)(q-1)

Thus,cd mod n = (me mod n)d mod n

= med mod n

= m(ed mod z)

mod n(result of number theory)

= m1 mod n

= m


36/95

36

RSA: another important property

The following property will be veryuseful later:

K (K (m)) = mBB

- +K (K (m))

BB+ -

=

use public keyfirst, followedby private key

use private keyfirst, followedby public key

Result is the same!


37/95

37

Follows directly from modular arithmetic:

(me mod n)d mod n = med mod n

= mde mod n

= (md

mod n)e

mod n

K (K (m)) = mBB

- +K (K (m))

BB

+ -=Why ?


38/95

38

Why is RSA Secure?

Suppose you know Bobs public key (n,e). How hard isit to determine d?

Essentially need to find factors of n without knowingthe two factors p and q.

Fact: factoring a big number is hard.

Generating RSA keys

Have to find big primes p and q Approach: make good guess then apply

testing rules (see Kaufman)


39/95

39

Session keys

Exponentiation is computationally intensive DES is at least 100 times faster than RSA

Session key, KS Bob and Alice use RSA to exchange a

symmetric key KS Once both have KS, they use symmetric key

cryptography


40/95




41/95

41

Message Integrity

Allows communicating parties to verify thatreceived messages are authentic.r Content of message has not been alteredr Source of message is who/what you think it isr

Message has not been replayedr Sequence of messages is maintained

Lets first talk about message digests


42/95

Internet checksum: poor message


43/95

43

Internet checksum: poor messagedigest

Internet checksum has some properties of hash function: produces fixed length digest (16-bit sum) of input is many-to-one

But given message with given hash value, it is easy to find anothermessage with same hash value.

Example: Simplified checksum: add 4-byte chunks at a time:

I O U 10 0 . 9

9 B O B

49 4F 55 3130 30 2E 39

39 42 D2 42

message ASCII format

B2 C1 D2 AC

I O U 9

0 0 . 1

9 B O B

49 4F 55 39

30 30 2E 31

39 42 D2 42

message ASCII format

B2 C1 D2 ACdifferent messagesbut identical checksums!


44/95

44

Hash Function Algorithms

MD5 hash function widely used (RFC 1321)r computes 128-bit message digest in 4-step

process. SHA-1 is also used.

r US standard [NIST, FIPS PUB 180-1]r 160-bit message digest


45/95

45

Message Authentication Code (MAC)

messag

e

H( )

s

message

messages

H( )

compare

s = shared secret

Authenticates sender Verifies message integrity No encryption ! Also called keyed hash Notation: MDm = H(s||m) ; send m||MDm


46/95

46

HMAC

Popular MAC standard Addresses some subtle security flaws

1. Concatenates secret to front of message.2. Hashes concatenated message

3. Concatenates the secret to front of

digest4. Hashes the combination again.


47/95

47

Example: OSPF

Recall that OSPF is anintra-AS routingprotocol

Each router creates

map of entire AS (orarea) and runsshortest pathalgorithm over map.

Router receives link-state advertisements(LSAs) from all otherrouters in AS.

Attacks: Message insertion Message deletion

Message modification

How do we know if anOSPF message is

authentic?


48/95

48

OSPF Authentication

Within an AutonomousSystem, routers sendOSPF messages to eachother.

OSPF providesauthentication choicesr No authenticationr Shared password:

inserted in clear in 64-bit authentication fieldin OSPF packet

r Cryptographic hash

Cryptographic hashwith MD5r 64-bit authentication

field includes 32-bit

sequence numberr MD5 is run over a

concatenation of theOSPF packet andshared secret key

r MD5 hash thenappended to OSPFpacket; encapsulated inIP datagram


49/95

End-point authentication

Want to be sure of the originator of themessage end-point authentication.

Assuming Alice and Bob have a shared

secret, will MAC provide end-pointauthentication.r We do know that Alice created the message.r But did she send it?

49


50/95

MACTransfer $1Mfrom Bill to Trudy

MACTransfer $1M fromBill to Trudy

Playback attack

MAC =f(msg,s)


51/95

I am Alice

R

MACTransfer $1Mfrom Bill to Susan

MAC =f(msg,s,R)

Defending against playbackattack: nonce


52/95

52

Digital Signatures

Cryptographic technique analogous to hand-written signatures.

sender (Bob) digitally signs document,

establishing he is document owner/creator. Goal is similar to that of a MAC, except now use

public-key cryptography verifiable, nonforgeable: recipient (Alice) can

prove to someone that Bob, and no one else(including Alice), must have signed document


53/95

53

Digital Signatures

Simple digital signature for message m: Bob signs m by encrypting with his private key

KB, creating signed message, KB(m)--

Dear Alice

Oh, how I havemissed you. I think ofyou all the time! (blah blah blah)

Bob

Bobs message, m

Public keyencryptionalgorithm

Bobs privatekeyKB-

Bobs message,m, signed

(encrypted) withhis private key

KB-(m)

Di i l i i d di


54/95

54

largemessage

mH: Hashfunction H(m)

digitalsignature(encrypt)

Bobsprivate

key KB-

+

Bob sends digitally signedmessage:

Alice verifies signature and

integrity of digitally signedmessage:

KB(H(m))-

encrypted

msg digest

KB(H(m))

-

encryptedmsg digest

largemessage

m

H: Hashfunction

H(m)

digitalsignature(decrypt)

H(m)

Bobspublic

key KB+

equal?

Digital signature = signed message digest


55/95

55

Digital Signatures (more)

Suppose Alice receives msg m, digital signature KB(m)

Alice verifies m signed by Bob by applying Bobs public key KB to

KB(m) then checks KB(KB(m) ) = m.

If KB(KB(m) ) = m, whoever signed m must have used Bobs private

key.

+ +

-

-

- -

+

Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not m.

Non-repudiation: Alice can take m, and signature KB(m) to court and prove that Bob

signed m.-


56/95

56

Public-key certification

Motivation: Trudy plays pizza prank on Bobr Trudy creates e-mail order:

Dear Pizza Store, Please deliver to me fourpepperoni pizzas. Thank you, Bob

r Trudy signs order with her private keyr Trudy sends order to Pizza Storer Trudy sends to Pizza Store her public key, but says

its Bobs public key.

r Pizza Store verifies signature; then delivers fourpizzas to Bob.

r Bob doesnt even like Pepperoni


57/95

57

Certification Authorities

Certification authority (CA): binds public key toparticular entity, E. E (person, router) registers its public key with CA.

r E provides proof of identity to CA.r

CA creates certificate binding E to its public key.r certificate containing Es public key digitally signed by CA

CA says this is Es public key

Bobspublic

key KB+

Bobsidentifying

information

digitalsignature

(encrypt)

CAprivate

key KCA-

KB

+

certificate forBobs public key,

signed by CA


58/95

58

Certification Authorities

When Alice wants Bobs public key:r gets Bobs certificate (Bob or elsewhere).r apply CAs public key to Bobs certificate, get

Bobs public key

Bobspublic

keyKB+

digitalsignature(decrypt)

CA

publickey

KCA+

KB+


59/95

59

Certificates: summary

Primary standard X.509 (RFC 2459) Certificate contains:

r Issuer name

r Entity name, address, domain name, etc.r Entitys public keyr Digital signature (signed with issuers private

key)

Public-Key Infrastructure (PKI)r Certificates and certification authoritiesr Often considered heavy


60/95

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity

8.4 Securing e-mail8.5 Securing TCP connections: SSL

Case Study: SSH (Secure Shell)


61/95

Secure e-mail

Alice: generates random symmetricprivate key, KS. encrypts message with KS (for efficiency) also encrypts KS with Bobs public key. sends both K

S

(m) and KB

(KS

) to Bob.

Alice wants to send confidential e-mail, m, to Bob.

KS( ).

KB( ).+

+ -

KS(m )

KB(KS )+

m

KS

KS

KB+

Internet

KS( ).

KB( ).-

KB-

KS

mKS(m )

KB(KS )+


62/95

Secure e-mail

Bob: uses his private key to decrypt and recover KS uses KS to decrypt KS(m) to recover m

Alice wants to send confidential e-mail, m, to Bob.

KS( ).

KB( ).+

+ -

KS(m )

KB(KS )+

m

KS

KS

KB+

Internet

KS( ).

KB( ).-

KB-

KS

mKS(m )

KB(KS )+


63/95

Secure e-mail (continued)

Alice wants to provide sender authentication messageintegrity.

Alice digitally signs message. sends both message (in the clear) and digital signature.

H( ). KA( ).-+ -

H(m )K

A(H(m))

-

m

KA-

Internet

m

KA( ).+

KA+

KA(H(m))

-

mH( ). H(m )

compare


64/95

Secure e-mail (continued) Alice wants to provide secrecy, sender authentication,

message integrity.

Alice uses three keys: her private key, Bobs public key, newlycreated symmetric key

H( ). KA( ).-

+

KA(H(m))-

m

KA-

m

KS( ).

KB( ).+

+

KB(KS )+

KS

KB+

Internet

KS


65/95

Chapter 8 roadmap







66/95

66

SSL: Secure Sockets Layer

Widely deployed securityprotocolr Supported by almost all

browsers and web serversr httpsr Tens of billions $ spent

per year over SSL Originally designed by

Netscape in 1993 Number of variations:

r TLS: transport layersecurity, RFC 2246

Providesr Confidentialityr Integrityr Authentication

Original goals:r Had Web e-commerce

transactions in mindr Encryption (especially

credit-card numbers)r Web-server

authenticationr Optional clientauthentication

r Minimum hassle in doingbusiness with newmerchant

Available to all TCPapplicationsr Secure socket interface


67/95

67

SSL and TCP/IP

Application

TCP

IP

Normal Application

Application

SSL

TCP

IP

Applicationwith SSL

SSL provides application programming interface (API)to applications C and Java SSL libraries/classes readily available

Could do something like PGP:


68/95

68

Could do something like PGP:

But want to send byte streams & interactive dataWant a set of secret keys for the entire connection Want certificate exchange part of protocol:

handshake phase

H( ). KA( ).-

+

KA(H(m))

-m

KA-

m

KS( ).

KB( ).+

+

KB(KS )+

KS

KB+

Internet

KS


69/95

69

Toy SSL: a simple secure channel

Handshake: Alice and Bob use theircertificates and private keys toauthenticate each other and exchange

shared secret Key Derivation: Alice and Bob use shared

secret to derive set of keys Data Transfer: Data to be transferred is

broken up into a series of records Connection Closure: Special messages to

securely close connection


70/95

70

Toy: A simple handshake

MS = master secret

EMS = encrypted master secret

SSLhello

CertificateofAlicespublic

keyKA+

KA+

(MS)=EMSCreate Master

Secret (MS) Decrypt EMS with KA-

to get MS


71/95

71

Toy: Key derivation

Considered bad to use same key for more than onecryptographic operationr Use different keys for message authentication code

(MAC) and encryption

Four keys:r Kc = encryption key for data sent from client to server

r Mc = MAC key for data sent from client to server

r Ks = encryption key for data sent from server to client

r Ms = MAC key for data sent from server to client Keys derived from key derivation function (KDF)

r Takes master secret and (possibly) some additionalrandom data and creates the keys

Toy: Data Records


72/95

72

Toy: Data Records Why not encrypt data in constant stream as we

write it to TCP?r Where would we put the MAC? If at end, no messageintegrity until all data processed.

r For example, with instant messaging, how can we dointegrity check over all bytes sent before displaying?

Instead, break stream in series of recordsr Each record carries a MACr Receiver can act on each record as it arrives

Issue: in record, receiver needs to distinguishMAC from datar Want to use variable-length records

length data MAC


73/95

73

Toy: Sequence Numbers

Attacker can capture and replay record orre-order records

Solution: put sequence number into MAC:

r MAC = MAC(Mx, sequence number||data)r Note: no sequence number field

Attacker could still replay all of therecordsr Use random nonce

l f


74/95

74

Toy: Control information

Truncation attack:r attacker forges TCP connection close segmentr One or both sides thinks there is less data than

there actually is.

Solution: record types, with one type forclosurer type 0 for data; type 1 for closure

MAC = MAC(Mx, sequence||type number||data)

length type data MAC

Toy SSL: summary


75/95

75

Toy SSL: summary

hello

certificate,nonce

KB+(MS)=EMS

type0,seq1,datatype0,seq2,data

type0,seq1,data

type0,seq3,data

type1,seq4,close

type1,seq2,close

en

crypted

bob.com

T L i l


76/95

76

Toy SSL isnt complete

How long are the fields? What encryption protocols? No negotiation

r Allow client and server to support differentencryption algorithms

r Allow client and server to choose togetherspecific algorithm before data transfer

Most common symmetric ciphers in


77/95

77

Most common symmetric ciphers inSSL

DES Data Encryption Standard: block 3DES Triple strength: block RC2 Rivest Cipher 2: block

RC4 Rivest Cipher 4: stream

Public key encryption

RSA

SSL Ci h S i


78/95

78

SSL Cipher Suite

Cipher Suiter Public-key algorithmr Symmetric encryption algorithmr

MAC algorithm SSL supports a variety of cipher suites Negotiation: client and server must agree

on cipher suite Client offers choice; server picks one

R l SSL H d h k (1)


79/95

79

Real SSL: Handshake (1)

Purpose1. Server authentication

2. Negotiation: agree on crypto algorithms

3. Establish keys4. Client authentication (optional)

R l SSL H d h k (2)


80/95

80

Real SSL: Handshake (2)

1. Client sends list of algorithms it supports, along withclient nonce2. Server chooses algorithms from list; sends back:

choice + certificate + server nonce3. Client verifies certificate, extracts servers public

key, generates pre_master_secret, encrypts withservers public key, sends to server4. Client and server independently compute encryption

and MAC keys from pre_master_secret and nonces5. Client sends a MAC of all the handshake messages6. Server sends a MAC of all the handshake messages


81/95

R l SSL H d h ki (4)


82/95

82

Real SSL: Handshaking (4)

Why the two random nonces? Suppose Trudy sniffs all messages between

Alice & Bob. Next day, Trudy sets up TCP connection with

Bob, sends the exact same sequence ofrecords,.r Bob (Amazon) thinks Alice made two separate

orders for the same thing.

r Solution: Bob sends different random nonce foreach connection. This causes encryption keys to bedifferent on the two days.

r Trudys messages will fail Bobs integrity check.

SSL Record Protocol


83/95

83

SSL Record Protocol

data

data

fragment

data

fragmentMAC MAC

encrypteddata and MAC

encrypteddata and MAC

recordheader

recordheader

record header: content type; version; length

MAC: includes sequence number, MAC key Mx

Fragment: each SSL fragment 214 bytes (~16 Kbytes)

SSL Record Format


84/95

84

SSL Record Format

contenttype SSL version length

MAC

data

1 byte 2 bytes 3 bytes

Data and MAC encrypted (symmetric algo)

handshake:ClientHelloReal


85/95

85

handshake:ServerHe

llo

handshake:Certifica

te

handshake:ServerHelloDone

handshake:ClientKeyExchangeChangeCipherSpec

handshake:Finished

ChangeCipherSpec

handshake:Finished

application_data

application_data

Alert:warning,close_notify

Connection

TCP Fin follow

Everythinghenceforthis encrypted

K d i ti


86/95

86

Key derivation

Client nonce, server nonce, and pre-master secretinput into pseudo random-number generator.r Produces master secret

Master secret and new nonces inputed into

another random-number generator: key blockr Because of resumption: TBD Key block sliced and diced:

r client MAC keyr server MAC key

r client encryption keyr server encryption keyr client initialization vector (IV)r server initialization vector (IV)

Ch t 8 dm


87/95

Chapter 8 roadmap








88/95

ase Study SSH (Secure Shell) Secure remote session

r Encrypted connection, secret per session key (Diffie-Hellman)r Port 22r Used instead of telnet

Authentication optionsr

Encrypted passwordr Preinstalled public key

Tunnels and port redirectionr Redirect the connections of other applicationsr Automatic redirection of X connections -> secure access of

remote GUI

88

Back to SSH: Architecture


89/95

H u

TCP TCP

ssh-trans ssh-trans

ssh-userauth ssh-userauth

ssh-connect ssh-connect

ssh-trans server authentication, confidentiality, integrity

ssh-userauth authenticates the client-side user

ssh-connect multiplexes the encrypted tunnel into several

logical channels (enables port redirection)89


90/95

ssh-trans


91/95

Confidentialityr data encrypted using a one-time secret session key

Key exchange phaser Diffie-Hellman method to create a secret key K

Encryptionr symmetric encryption using Kr several ciphers can be used

Integrityr MAC (Message Authentication Code) included with each

packetr computed from the shared secret key, packet sequence

number, the contents of the packet91

ssh-userauth


92/95

Passwordr username, password on the remote system

Public key authenticationr user generates a pair of keys: public + secretr

public key stored on the remote system (fileauthorized_keys)r authentication request

signature by the secret key over (session-id, username)

the signature verifed on the server by the public key

92

ssh-connect


93/95

Multiple channels multiplexed into a single connection at

the ssh-trans level Channels identified by numbers on each end Channels are individually flow-controlled

r window size - amount of data to send

93

SSH: Summary


94/95

y

Excellent securityr Encryptionr Two-way authenticationr Should be used instead of telnet/rlogin

Integration with other applicationsr Through tunnelingr E-mail, X-windows,...

94

Network Security (summary)


95/95

Network Security (summary)

Basic techniques...r cryptography (symmetric and public)r message integrityr end-point authentication

. used in many different security scenariosr secure emailr secure transport (SSL)

A case study: SSH

Network security is crucial. A full, mandatory course isdevoted to it in the 3rd year of Bachelor.

Documents

705 TCD WirelessSec