Upload
roderick-emery-mckinney
View
220
Download
3
Tags:
Embed Size (px)
Citation preview
K. Salah 2
Security ServicesSecurity Services
Confidentiality/PrivacyConfidentiality/Privacy Has to do with hiding information. Only the intended receiver can make
sense out of the message. Message AuthenticationMessage Authentication
Data Origin Can it be achieved by symmetric cipher? Yes Can it be achieved by asymmetric cipher? No
Data Integrity Can it be achieved by symmetric cipher? (not really) Can it be achieved by asymmetric cipher? (not really) There is that possibility that bits (cipher bit-block) can be re-ordered in transit
Non-RepudiationNon-Repudiation The receiver must proof that the message came from a specific sender. The sender can not repudiate/deny sending the message
K. Salah 5
Digital SignatureDigital Signature
ProvidesProvides Authentication
Data Origin Data Integrity (with free-collision hashing)
Nonrepudiation
Does not provide confidentiality/privacy Does not provide confidentiality/privacy Need to encrypt the message
K. Salah 6
What is the difference (in terms of non-What is the difference (in terms of non-repudiation, data origin, data integrity, repudiation, data origin, data integrity, confidentiality) when: confidentiality) when: Sign then Encrypt Encrypt then Sign Sign and encrypt only PT message
K. Salah 8
User AuthenticationUser Authentication
User Authentication = User Authentication = Verification of identityVerification of identity
Secret key approachSecret key approach Using Symmetric-Key only
MIM attack where data is intercepted, tampered with, or replayed again to receiver
Using a nonce/challenge A random number Replay is resolved
Bidirectional Must have a unique
challenge per sessions
Public key approachPublic key approach Subject to MIM attack
K. Salah 9
Key ManagementKey Management
Symmetric Key DistributionSymmetric Key Distribution Problems with distributing symmetric key Diffe-Hellman Method
Subject to MIM attack KDC Method
Public-Key CertificationPublic-Key Certification Certificate-based
K. Salah 12
KDC (Key Distribution Center)KDC (Key Distribution Center)
Problem with Diffe-Hellman approach is Problem with Diffe-Hellman approach is that information is sent in plaintextthat information is sent in plaintext
R1 and R2 needs to encryptedR1 and R2 needs to encryptedA secret key is neededA secret key is neededSo we have a vicious circuitSo we have a vicious circuitThree solutionsThree solutions
Using KDC Needham-Schroeder Protocol Otway-Rees Protocol
K. Salah 13
Using KDCUsing KDC Sender and receiver registers with KDC and each given a private keySender and receiver registers with KDC and each given a private key KDC sends a KDC sends a ticketticket back to sender back to sender Vulnerable to replay attacks at step 3 and beyondVulnerable to replay attacks at step 3 and beyond
K. Salah 14
Needham-Schroeder ProtocolNeedham-Schroeder Protocol Solve replay attackSolve replay attack Uses 4 noncesUses 4 nonces (R(R11-1) and (R-1) and (R22-1) are used to ensure that ticket was received correctly (decrypted and -1) are used to ensure that ticket was received correctly (decrypted and
processed properly)processed properly)
K. Salah 15
Otway-Rees ProtocolOtway-Rees Protocol Solve replay attack with fewer stepsSolve replay attack with fewer steps R is a common nonce. R is different for each session. Used to make sure encryption and R is a common nonce. R is different for each session. Used to make sure encryption and
decryption got processed properlydecryption got processed properly
K. Salah 16
Public Key CertificationPublic Key Certification
MIM attack. Intruder can intercept the public key in MIM attack. Intruder can intercept the public key in transit and send his own.transit and send his own.
A need for a trusted entity, a certificate authority (CA) to A need for a trusted entity, a certificate authority (CA) to solve public key fraudsolve public key fraud
CA can be public. CA can be public. Their public key is trusted and embedded with the OS and
Applications. Also it can be added manually. Examples
Thawte veriSign Entrust
CA can be privateCA can be private Owned by an organization
K. Salah 17
X.509X.509
FieldField ExplanationExplanation
VersionVersion Version number of X.509Version number of X.509
Serial numberSerial number The unique identifier used by the CAThe unique identifier used by the CA
SignatureSignature The certificate signature, SHA-1, MD5 of CAThe certificate signature, SHA-1, MD5 of CA
IssuerIssuer The name of the CA defined by X.509The name of the CA defined by X.509
Validity periodValidity period Start and end period that certificate is validStart and end period that certificate is valid
Subject nameSubject name The entity whose public key is being certifiedThe entity whose public key is being certified
Public keyPublic key The subject public key and the algorithms that use itThe subject public key and the algorithms that use it
K. Salah 18
PKI (Public Key Infrastructure)PKI (Public Key Infrastructure) Like DNS, there is a need for hierarchical structure of CAs that are public and privateLike DNS, there is a need for hierarchical structure of CAs that are public and private The principle of cross certificationThe principle of cross certification The CA does not to be on-lineThe CA does not to be on-line CA certificate is typically issued by upper level certificate.CA certificate is typically issued by upper level certificate.
Root CA issues its own certificate Local CA can issue its own certificate
K. Salah 19
Use of CertificatesUse of Certificates EmailEmail
PGP-based: Faster than S/MIME PGP, OpenPGP, GnuPG (Gnu Privacy Guard) Email clients:
• Enigmail• PGP Mail• Hushmail (web based)
S/MIME or Certificate based (Digitally signed and then encrypted) Email Clients:
• Outlook • Mozilla Thunderbird
https and SSLhttps and SSL SSHSSH Software protection and signingSoftware protection and signing User authentication through certificate-basedUser authentication through certificate-based
FTP Dialup Directory .Net
K. Salah 20
PGPPGP
Invented by Phil Invented by Phil Zimmermann to provide Zimmermann to provide privacy, integrity, privacy, integrity, authentication, and authentication, and nonrepudiationnonrepudiation
Uses digital signature to Uses digital signature to provide integrity, provide integrity, authentication, and authentication, and nonrepudiationnonrepudiation
Uses one-time secret-key Uses one-time secret-key and public-key encryption and public-key encryption to provide privacyto provide privacy
Message only makes sense at the receiver
What is the job of one-time What is the job of one-time secret key? What if it gets secret key? What if it gets removed? removed?
Encryption is faster with one-time secret key, especially when email is long.
One-time key is very short
K. Salah 21
S/MIMES/MIME
Secure / Multipurpose Internet Mail Secure / Multipurpose Internet Mail ExtensionExtension
provides similar services to PGPprovides similar services to PGP based on technology from RSA Securitybased on technology from RSA Security Can use symmetric or asymmetric key Can use symmetric or asymmetric key
encryptionencryption As specified in the MIME headers
S/MIME certificates are X.509 conformantS/MIME certificates are X.509 conformant Contained in email clientsContained in email clients
MS outlook Netscape communicator Eudora Mozilla Thunderbird etc
K. Salah 22
Security facilities in the TCP/IP protocol Security facilities in the TCP/IP protocol stackstack
K. Salah 23
SSL and TLSSSL and TLS SSL – Secure Socket LayerSSL – Secure Socket Layer TLS – Transport Layer SecurityTLS – Transport Layer Security Both provide a secure transport connection between Both provide a secure transport connection between
applications (e.g., a web server and a browser)applications (e.g., a web server and a browser) SSL was originated by NetscapeSSL was originated by Netscape
SSLv1 and SSLv2 SSL version 3.0 has been implemented in many web SSL version 3.0 has been implemented in many web
browsers (e.g., Netscape Navigator and MS Internet browsers (e.g., Netscape Navigator and MS Internet Explorer) and web servers and widely used on the Explorer) and web servers and widely used on the InternetInternet
SSL v3.0 was specified in an Internet Draft (1996)SSL v3.0 was specified in an Internet Draft (1996) It evolved into TLS specified in RFC 2246It evolved into TLS specified in RFC 2246 TLS can be viewed as SSL v3.1TLS can be viewed as SSL v3.1
K. Salah 24
Transport Layer SecurityTransport Layer Security For any TCP protocol: HTTP (https:// port 443), NNTP, For any TCP protocol: HTTP (https:// port 443), NNTP,
telnet, POP, SFTP, etc.telnet, POP, SFTP, etc. For transactions on Internet, a browser needs:For transactions on Internet, a browser needs:
Make sure that server belongs to the actual vendor Contents of message are not modified during
transition Make sure that the impostor does not interpret
sensitive information. TLS has two protocols: Handshake and data exchange TLS has two protocols: Handshake and data exchange
protocol.protocol. Handshake: Responsible for negotiating security Handshake: Responsible for negotiating security
parameters (encryption method, etc), authenticating the parameters (encryption method, etc), authenticating the server to the browser, and (optionally) defining other server to the browser, and (optionally) defining other communication parameters.communication parameters.
Data exchange (record) protocol uses the secret key to Data exchange (record) protocol uses the secret key to encrypt the data for secrecy and to encrypt the message encrypt the data for secrecy and to encrypt the message digest for integrity.digest for integrity.
K. Salah 25
SSL Record Protocol ServicesSSL Record Protocol Services
ConfidentialityConfidentiality – the handshake protocol – the handshake protocol defines a shared key for encryptions of defines a shared key for encryptions of SSL payloadsSSL payloads
Message IntegrityMessage Integrity – the handshake – the handshake protocol defines a shared key used to form protocol defines a shared key used to form message authentication code (MAC)message authentication code (MAC)
K. Salah 28
Handshake ProtocolHandshake Protocol Browser sends a hello message that includes TLS version Browser sends a hello message that includes TLS version
and some preferencesand some preferences Server sends a certificate message that includes the public Server sends a certificate message that includes the public
key of the server. The public key is certified by some key of the server. The public key is certified by some certification authority, which means that the public key is certification authority, which means that the public key is encrypted by a CA private key. Browser has a list of CAs encrypted by a CA private key. Browser has a list of CAs and their public keys. It uses the corresponding key to and their public keys. It uses the corresponding key to decrypt the certification and finds the server public key. decrypt the certification and finds the server public key. This also authenticates the server because the public key is This also authenticates the server because the public key is certified by the CA.certified by the CA.
Browser sends a secret key, encrypts it with the server Browser sends a secret key, encrypts it with the server public key, and sends it to the server.public key, and sends it to the server.
Browser sends a message, encrypted by the secret key, to Browser sends a message, encrypted by the secret key, to inform the server that handshaking is terminating from the inform the server that handshaking is terminating from the browser key.browser key.
Server decrypts the secret key using its private key and Server decrypts the secret key using its private key and decrypts the message using the secret key. It then sends a decrypts the message using the secret key. It then sends a message, encrypted by the secret key, to inform the message, encrypted by the secret key, to inform the browser that handshaking is terminating from the server browser that handshaking is terminating from the server side.side.
K. Salah 29
SSL Hashing and EncryptionSSL Hashing and Encryption
supported hash functions:supported hash functions: MD5 SHA-1
supported encryption algorithmssupported encryption algorithms block ciphers (in CBC mode)
RC2_40 DES_40 DES_56 3DES_168 IDEA_128 Fortezza_80
stream ciphers RC4_40 RC4_128
K. Salah 30
client_hello
server_hello
certificate
server_key_exchange
certificate_request
server_hello_done
certificate
client_key_exchange
certificate_verify
change_cipher_spec
finished
change_cipher_spec
finished
Phase 1: Negotiation of the session ID, key exchangealgorithm, MAC algorithm, encryption algorithm, Compression, and exchange of initial random numbersor nonces to prevent replay attacks of key exchange.
Phase 2: Server may send its certificate and keyexchange message, and it may request the clientto send a certificate. Server signals end of hellophase.
Phase 3: Client sends certificate if requested and maysend an explicit certificate verification message. Client always sends its key exchange message.
Phase 4: Change cipher spec (to change the operating state to finished) and finish handshake
K. Salah 31
State changesState changes StateState
Handshake Alert Data Exchange
operating stateoperating state currently used state
pending statepending state state to be used built using the current state
operating state operating state pending state pending state at the transmission and reception of a Change Cipher Spec message
party A(client or server)
party B(server or client)
the sending part of thepending state is copied
into the sending partof the operating state the receiving part of the
pending state is copied into the receiving partof the operating state
Change Cipher Spec
K. Salah 32
Server certificate and key exchange Server certificate and key exchange messagesmessages certificatecertificate
required for every key exchange method except for anonymous DH (Diffe-Hellman) contains one or a chain of X.509 certificates (up to a known root CA) may contain
public RSA key suitable for encryption, or public RSA or DSS key suitable for signing only, or fix DH parameters
server_key_exchangeserver_key_exchange sent only if the certificate does not contain enough information to complete the key exchange (e.g., the
certificate contains an RSA signing key only) may contain
public RSA key (exponent and modulus), or DH parameters (p, g, public DH value), or Fortezza parameters
digitally signed if DSS (Digital Signature Standard by NIST): SHA-1 hash of (client_random | server_random | server_params) is signed if RSA: MD5 hash and SHA-1 hash of (client_random | server_random | server_params) are concatenated and encrypted
with the private RSA key certificate_requestcertificate_request
sent if the client needs to authenticate itself specifies which type of certificate is requested (rsa_sign, dss_sign, rsa_fixed_dh, dss_fixed_dh, …)
server_hello_doneserver_hello_done sent to indicate that the server is finished its part of the key exchange after sending this message the server waits for client response the client should verify that the server provided a valid certificate and the server parameters are acceptable
K. Salah 33
Client authentication and key exchangeClient authentication and key exchange certificatecertificate
sent only if requested by the server may contain
public RSA or DSS key suitable for signing only, or fix DH parameters
client_key_exchangeclient_key_exchange always sent (but it is empty if the key exchange method is fix DH) may contain
RSA encrypted pre-master secret, or client one-time public DH value, or Fortezza key exchange parameters
certificate_verifycertificate_verify sent only if the client sent a certificate provides client authentication contains signed hash of all the previous handshake messages
if DSS: SHA-1 hash is signed if RSA: MD5 and SHA-1 hash is concatenated and encrypted with the private key
MD5( master_secret | pad_2 | MD5( handshake_messages | master_secret | pad_1 ) ) SHA( master_secret | pad_2 | SHA( handshake_messages | master_secret | pad_1 ) )
finishedfinished sent immediately after the change_cipher_spec message first message that uses the newly negotiated algorithms, keys, IVs, etc. used to verify that the key exchange and authentication was successful contains the MD5 and SHA-1 hash of all the previous handshake messages:
MD5( master_secret | pad_2 | MD5( handshake_messages | sender | master_secret | pad_1 ) ) |SHA( master_secret | pad_2 | SHA( handshake_messages | sender | master_secret | pad_1 ) )
where “sender” is a code that identifies that the sender is the client or the server (client: 0x434C4E54; server: 0x53525652)
K. Salah 34
Countermeasures to hijacking SSL Countermeasures to hijacking SSL sessions using MIM attacksessions using MIM attack
EducationEducation Sysadmins
Register with CA Users
Beware of alerts Use L3 SwitchesUse L3 Switches
Track and maintain IP/MAC pairs S-ARP protocolS-ARP protocol
Certificate-based Modify kernel to not honor unsolicited ARP repliesModify kernel to not honor unsolicited ARP replies
Sun Solaris Linux 2.4 and 2.6
Use IDSUse IDS Track and maintain IP/MAC pairs
K. Salah 35
OpenSSL vs. PGPOpenSSL vs. PGP
http://www.openssl.orghttp://www.openssl.org OpenSSL is a cryptography toolkit implementing the Secure OpenSSL is a cryptography toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by network protocols and related cryptography standards required by them. them.
The The opensslopenssl program is a command line tool for using the various program is a command line tool for using the various cryptography functions of OpenSSL's cryptography functions of OpenSSL's cryptocrypto library from the shell. It library from the shell. It can be used for can be used for Creation of RSA, DH and DSA key parameters Creation of X.509 certificates, CSRs and CRLs
CSR (Certificate Signing Request) containing public key to submit to CA CRL (Certificate Revocation List) to submit to CA to revoke certificates
Calculation of Message Digests Encryption and Decryption with Ciphers SSL/TLS Client and Server Tests Handling of S/MIME signed or encrypted mail
K. Salah 36
Kerberos V5– Kerberos V5– not a certificate based authenticationnot a certificate based authentication
A network authentication protocol of users developed by MITA network authentication protocol of users developed by MIT Name after Greek Mythology – a dog with 3 heads that guards the gatesName after Greek Mythology – a dog with 3 heads that guards the gates Used in Windows to overcome shortcomings of NTLM Used in Windows to overcome shortcomings of NTLM
NTLM is less secure. Latest version uses a challenge/response authentication Client id itself to the Server Server sends the Client a challenge, R Client responds in one message with NT response and LM response
• NT response is based on LM Hash (of user password) and R• LM response is based on NT Hash (of user password) and R• Therefore, one can crack LM Hash or NT Hash separately!
This info is based on reverse engineering In Windows XP, either Kerberos or NTLM can be selected for user authentication
Kerberos claims of more scalability and is more backward compatible. Kerberos claims of more scalability and is more backward compatible. Has three serversHas three servers
Authentication Server (AS) Ticket-Granting Server (TGS) Real Server
FTP server Dial up server Directory server
K. Salah 38
Kerberos ExampleKerberos Example
KKAA is generated locally when AS replies the first time. Alice has to enter a password. The password is then destroyed. is generated locally when AS replies the first time. Alice has to enter a password. The password is then destroyed. T is a challenge or a Timestamp to prevent replay attackT is a challenge or a Timestamp to prevent replay attack KKSS is the session key is the session key If Alice wants to communicate to anther server, she does not to do the first two steps againIf Alice wants to communicate to anther server, she does not to do the first two steps again