650 likes | 661 Views
CSCD 434 Spring 2019. Lecture 15 Uses of Cryptography. 1. Introduction. Useful to look at how cryptogrpahy is used in security Not magic!!! Helps with many problems but not all Plus, think about how crypto security protocols are not being used because of ...
E N D
CSCD 434Spring 2019 Lecture 15 Uses of Cryptography 1
Introduction • Useful to look at how cryptogrpahy is used in security • Not magic!!! • Helps with many problems but not all • Plus, think about how crypto security protocols are not being used because of ... • Useability, understandability, reliability, simplicity ...
Cryptography at the Stack Level • Where in the network stack can we put cryptographic protocols? • OR, another way to think of this ... • What is the best layer to include cyrptography?
Network Stack and Associated Crypto Based Protocols • Application Layer • PGP • S/MIME • S-HTTP • HTTPS • SET • SSH • Transport Layer • SSL/TLS • Network Layer • IPSec • VPN • Data Link Layer • Hardware Based Solutions
Cryptographic Protocols • Application Layer • PGP Web of trust, open source encryption services • S/MIME Adds encryption and digital signatures to MIME linked content • S-HTTP Adds the ability to authenticate the user as well as the server • HTTPS This is HTTP over SSL/TLS • SET Complicated protocol developed by credit card companies All parties involved in the payment must be authenticated • SSH Encrypted Telnet,
Cryptographic Protocols Transport Layer SSL/TLS Main protocol used in Web sites for secure browsing Network Layer IPSec Network based protocol for security packets at network level VPN Encrypted tunnel for communicating between parties Often uses IPSec
SSL Beginnings • First, Secure Socket Layer, SSL • Introduced by Netscape, then standardized, early 1990's • Later, Transport Layer Security, TLS • The IETF standardized Transport Layer Security (TLS) Version 1, a minor variation of SSL, in RFC 2246, then • Version 1.1 in RFC 4346 and • Version 1.2 in RFC 5246 - SSL morphed into TLS
SSL is now also TLS • When secure connection initially established, • Depending on implementation, negotiates support of particular protocol from the set • SSLv2, SSLv3, TLSv1 or TLSv1.1 (now TLSv1.2) • When using SSL ... most cases what is called SSL is most likely using TLS • For instance OpenSSL, a version of SSL • Supports both SSL (v2 and v3) and TLS (TLSv1) protocols
HTTP Telnet FTP LDAP TLS TCP IP SSL and TLSWhere does it reside? Protocol Stack SSL and
Lets Go Shopping! • When go to a site to buy goods, • Shop for items (books), put in cart • Check-out, asked for my login credentials • At that point SSL kicks in and a lot happens behind the scenes to bring me that https nice secure feeling • For one thing, we are now using port 443, not port 80
SSL Does Three Jobs What are the three things that SSL accomplishes?
SSL Does Three Jobs 1. Data Encryption • Protect data in transit between client and server 2. Server and Client Authentication • Uses public key cryptography to authenticate communicating parties to each other 3. Message Integrity • Session keys based on message so data can't be tampered with
SSL Functionality • Two Layers to SSL • Three protocols in first layer 1. SSL Handshake, SSL Alert Protocol, Change Cipher Specification • One protocol at second layer 2. SSL Record Protocol Change Cipher Protocol SSL Alert Protocol SSL Handshake Protocol SSL Record Protocol
SSL Functionality First Layer • SSL Handshake - Client and Server • 1. Establish Cipher Suite • 2. Authenticate Server • Sends certificate, checks signed by trusted CA • 3. Optional authenticate client • Few customers get digital certificates, does not occur • 4. Exchange key info using public key algorithm • Client generates a Session Key • Random number which is used with the cipher for all encryption and decryption • Encrypts session key using server public key • Server recovers session key by decrypting it with private key
SSL Functionality First Layer • SSL Alert Protocol • Session warnings ranging from unknown certifications, revoked certs, expired certs etc • Alert messages convey severity of message and a description of the alert • Upon transmission or receipt of fatal alert message, both parties immediately close connection • Change Cipher Specification • The change cipher spec protocol exists to signal transitions in ciphering strategies
SSL Functionality Second Layer • SSL Record Protocol • Provides Confidentiality • Handshake protocol provides the shared secret key • Uses public/private keys to verify key integrity • Message Integrity • Uses the secret key to form a Message Authentication Code (MAC) or HMAC • A message authentication code, or MAC, feeds a key and plaintext to an algorithm to create the MAC Both stream and block ciphers can be used as MACs • The MAC ensures that the data has not been modified during transmission
SSL Functionality Second Layer • SSL Record Protocol - More Details • Takes application message, fragments it, • Optionally, compresses it, • Adds a MAC, Message Authentication Code • Adds SSL Header, and sends it via TCP • Receiving party recomputes MAC and compares it to what was received to verify good message integrity
Chunk Chunk Chunk Fragmentation Shrunk Compression MAC Shrunk Encrypted Encrypt Encrypted Prepend Header SSL Record Protocol • The SSL Record Protocol uses the keys derived from the Handshake Protocol • Messages are broken into blocks of at most 16384 bytes • Then, does the following steps Data
SSL Record Protocol • Limited selection of ciphers and MAC algorithms allowed • Interchange Ciphers • RSA, Diffie-Hellman (signed and unsigned), Fortezza • Bulk Encryption Cipher • RC4, RC2, DES (CBC Mode), 3DES (EDE-CBC Mode), Fortezza (CBC) • MAC • SHA-1 and MD5
SSL Protocol – Server Side • An Example • Server (e.g. a web site) owners have to go through these steps to support SSL: 1. Get certificate for public key from a root authority Sign the key, usually costs money • Prices range from $64 … > $500 / year 2. Generate server’s private/public key pair using RSA 3. Install SSL support on server site 3a. If web server Apache, mod_ssl has to be enabled and configured to use the certificate you obtained
SSL Protocol – Client Side • Client-side • A browser typically contains a collection (50-100) of root authorities’ public keys to verify identity of a web server • So, it is practically transparent to the browser user when visiting secure sites (Look at examples of these …. )
Strengths of the SSL • Bruteforce Attack • Encryption methods can be said to be safe in the foreseeable future – feasibility of breaking DES or AES • Replay Attack • Attack works by rerunning the messages sent earlier • SSL defeats it by using a 128-bit nonce value that is unique to that connection • Man-In-the-Middle Attack • SSL uses signed certificates to authenticate the server’s public key … however there can be problems with valid certificates
Weaknesses of SSL • Certificate Problems • Not signed by a trusted Certificate Authority • Expired certificates • No certificate revocation list (CRL) in spec! • Only real server authentication is that DNS name in URL matches the name in the certificate • You are fooled into using a wrong name www.isbankasi.com.tr instead of www.isbank.com.tr you’ll never know
Web Spoofing and SSL • Web spoofing • Pretending to be somebody else’s web site • Allows traffic to be intercepted and changed • All Web traffic must pass through attacker’s proxy • Somebody puts a false link in a popular Web page • Choosing DNS name very close to the real one (www.isbankasi.com.tr instead of www.isbank.com.tr) • Users must be careful to detect it • Can NOT be stopped -- even with SSL • Unless you are using client side certificates • Which are Not common today
SSL Spoofing • Moxie Marlinspike created sslstrip and presented at Black Hat DC 2009. http://www.thoughtcrime.org/ • Does not attack SSL itself, but the transition from non-encrypted to encrypted communications • It will transparently hijack HTTP traffic on a network, watch for HTTPS … then map those links into either look-alike HTTP links or homograph-similar HTTPS links • It still works (2018) if the website is not configured correctly to use HTTPS, see link below • http://www.ethicalpentest.com/2018/08/bettercap-with-sslstrip-attack-hsts.html
SSL and Heartbleed What is the problem with Heartbleed? • Disclosed in 2014 … • OpenSSL Library with heartbeat extension • Buffer overrun extension • Give it a short input, but long buffer it reads the entire buffer from memory • 17% of secure webservers vulnerable at the time • Was enabled by default • Allowed memory viewing of private keys, passwords, login credentials for two years • Fix: Re-issued new certificates, people encouraged to get new passwords …
Surprise!!! IP is not Secure! • IP protocol was designed in the late 70s to early 80s • Part of DARPA Internet Project • Very small network • All hosts are known! • So are the users! • Therefore, security was not built-in
IP Security • IP datagrams have no inherent security • IP source address can be spoofed • Content of IP datagrams can be sniffed • Content of IP datagrams can be modified • IP datagrams can be replayed • IPSec is a method for protecting IP datagrams • Standardized by IETF • Only sender and receiver have to be IPsec compliant • Rest of network can be regular IP 34
Goals of IPSec • To verify sources of IP packets • Authentication • To prevent replaying of old packets • Called Replay Attack • To protect integrity and/or confidentiality of packets • Data Integrity/Data Encryption
What Exactly is IPSec? • IPSec is a suite of authentication and encryption mechanisms • Like a security Framework!!!! • IPSec, has complex set of protocols described in a number of RFCs • See following Slide • Designed to run in new version of Internet Protocol, IP Version 6 (Ipv6), • It has also successfully run in IPv4
IPSec • A collection of protocols (RFC 2401) • Authentication Header (AH) • RFC 2402 • Encapsulating Security Payload (ESP) • RFC 2406 • Internet Key Exchange (IKE) • RFC 2409 • IP Payload Compression (IPcomp) • RFC 3137
IPSec in English • IPSec ensures • Authorized parties may exchange private IP packets securely over a public network • Packet content is kept confidential and ensures integrity • Thru encryption / Protected against modification through digital signature • IPSec can be used to • Securely “tunnel” packets to routers or firewalls over a WAN Or • Securely “transport” packets end to- end between desktops and servers
IPSec Architecture • IPSec provides security in three situations: • Host-to-host, • Host-to-gateway and • Gateway-to-gateway • IPSec operates in Two Modes: • Transport mode (for end-to-end) • Tunnel mode (for VPN)
Transport and Tunnel Mode • Transport Mode • Transport mode provides host-to-host protection to higher layer protocols between two hosts in both IPv4 and Ipv6 • In transport mode, only payload of IP packet is encrypted and/or authenticated. • Routing is intact, since IP header is neither modifiednor encrypted • Tunnel Mode • Tunnel mode protects entire IP datagram between two IPSec gateways • In tunnel mode, entire IP packet is encrypted and/or authenticated, then encapsulated into new IP packet with new IP header • More common use for VPN's
IPSec Modes of Operation Transport Mode: protect the upper layer protocols IP Header TCP Header Data Original IP Datagram Transport Mode protected packet IP Header IPSec Header TCP Header Data protected • Tunnel Mode: protect the entire IP payload New IP Header IPSec Header Original IP Header TCP Header Data Tunnel Mode protected packet protected
IPsec Operation: Transport Modes Alice Bob Site Network Site Network Secure Connection Security in Site Network Security in Site Network Extra Software Required Extra Software Required Secure on the WAN e.g. Internet
IPsec Operation: Tunnel Modes IPsec Server IPsec Server Alice Bob Site Network Site Network Tunneled Connection No Security in Site Network No Security in Site Network No Extra Software No Extra Software Secure on the WAN e.g. Internet
Other IPSec Concepts • IPSec is connectionless in traditional TCP terms but keeps state on individual IP packets • Does so through • Security Association (SA) and • Security Association Database (SAD)
ConceptsIPSsec Security Associations • Security Association (SA) • Collection of attributes associated with a connection, describes how the entities will use security services to communicate securely • IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption; MD5 or SHA-1 for integrity). • After deciding on the algorithms, the two devices must share session keys. All this must be tracked. • Is asymmetric! • One SA for inbound traffic, another SA for outbound traffic • Security Association Database (SAD) • A database of SAs
IPSec/IKE Acronyms • Security Parameter Index (SPI) • A unique index for each entry in the SAD • Identifies the SA associated with a packet • Security Policy Database (SPD) • Store policies used to establish SAs
Authentication Header (AH) • Provides source authentication • Protects against source spoofing • Provides data integrity • Protects against replay attacks • Use monotonically increasing sequence numbers • NO protection for confidentiality!
Authentication Header (AH) • Data integrity is assured by ′′checksum′′ • Generated by message authentication code (for example, MD5) • Data origin authentication is assured by using a secret shared key in data to be authenticated • Replay protection is provided by use of a sequence number field within the AH Header
Encapsulating Security Payload (ESP) • Same as AH • Uses 32-bit sequence number to counter replaying attacks • Uses integrity check algorithms • Only in ESP • Data confidentiality: • Uses symmetric key encryption algorithms to encrypt packets
Outline • Internet Key Exchange (IKE) • IPsec Policy • Discussion