Embed Size (px)
Citation preview
Group 6
A Study of Strengths and Weaknesses between
Network Security Protocols
Jolie BecknerAaron HaynerJared Kozel
Jordan RedmanJustin Redman
Open System Interconnection Model
• Defines an intense networking framework
Application Set
Layer 7 – Application LayerLayer 6 – Presentation LayerLayer 5 – Session Layer
Transport Set
Layer 4 – Transport LayerLayer 3 – Network LayerLayer 2 – Data Link LayerLayer 1 – Physical Layer
Secure Sockets Layer/Transport Layer
Security
Secure Socket Layer/Transport Layer
Security• Internet Age in the 1990’s brought
demand for protection of information• Implemented by Netscape in 1996• Essentially a cryptography protocol
Encryption Protocols
• Key agreements or establishment• Entity authentication• Symmetric encryption• Secured application-layer data
transportation• Non-repudiation methodologies
Encrypting Data on Internet
SSL Advantages
• Point authentication• Message integrity• Confidentiality
Point Authentication
• Process of determining the identity of a user that is attempting to access a network
Message Integrity
• SSL sends a message digest – fixed-length representation of the message, along with the message itself
Confidentiality
• Uses encryption algorithms during the SSL handshake
Disadvantages
• Early weak keys could be “brute forced”
SSL Proxy Servers
• Information unencrypted the moment after leaving the proxy server
SSL/TLS Conclusion
• But although SSL/TLS do have disadvantages, we should not toss out the protocol all together. As a user of the Internet, one has to be aware that just because they see the padlock in the lower right hand corner and “https” as a tag prefix, it does not mean their information is incapable of getting into the wrong hands. It simply means that you can hope the data security transferred to the appropriate server, unaltered and has not been intercepted.
Secure Shell (SSH)
Why do we need SSH?
• Computer networks are common.– It is common for people to have
multiple computer accounts.– Naturally, user wants a way to be able
to connect to them all.
• Functions: copying files, logging into computers remotely, transmitting commands, running programs.
Why do we need SSH?
• Could use FTP, Telnet, and rsh, however, these protocols lack network security.
• Example: If a sensitive file is transmitted across the Internet, an intruder could intercept the file.
• Approaches: Firewall, encryption, SSH.
SSH History
• SSH was developed in 1995 by Tatu Ylönen at Helsinki University of Technology.
• Goal: To replace more archaic protocols at the time (rlogin, Telnet, rsh), which did not guarantee confidentiality or strong authentication.
• This version, named SSH-1, was released in the summer of 1995, and 20,000 people in 50 countries used it by the end of the year.
SSH History
• In 1996, a revised version, SSH-2, was developed, and it was incompatible with SSH-1.
• SSH-2 improved upon SSH-1, because SSH-1 had security, performance, and portability weaknesses.
• Today, SSH is used by over two million people in 60 countries.
What is SSH?
• Widely-popular, powerful, software-based approach to network security.
• Network protocol and program that allows users to establish a secure channel between a local and remote computer over an insecure network.
How to use SSH
• Typically run over UNIX environments.• Windows based apps, such as Putty,
provide a UNIX-style terminal for “SSHing” to remote machines.
• Commonly used commands:• ssh hostname // to log into a machine• ssh hostname command // execute command on machine
hostname• ssh –v hostname // login to machine hostname and print
debug
Benefits
• Encryption: Data being sent by a computer to the network is automatically encrypted by SSH, then decrypted by SSH when it reaches the destination- results in Transparent Encryption.
• Public-key cryptography:
Benefits
• Prevents:• Man-in-the-middle attacks• Manipulation of data• Interception of data• IP spoofing• IP source routing
Prompts for password three times, then does not allow anymore tries, and contacts network admin.
Weaknesses
• SSH is dependent on TRUST. As with any encrypted protocol, if the people inside do not responsibly use SSH, the system can be compromised.
• SSH-1 did not protect against man-in-the-middle attacks and brute force attacks. These issues were addressed in SSH-2.
Weaknesses
• Brute force attacks, although “supposedly” protected in SSH-2, have been recently performed with much success.
• Sebastain Krahmer wrote a threaded SSH-2 brute force tool named “guess-who”, which allows up to 30 username/password attempts every second!
Secure Copy Protocol (SCP)
What is SCP?
• Securely copies computer files between hosts on a network.
• Available with UNIX or Linux OS.• SCP uses SSH to provide security
and authentication.
How to use SCP
• Use the scp command to copy files between system.
• Use the following command: scp filename1
userid@hostname:filename2
Kerberos
Kerberos
• Developed at MIT as part of project Athena.
• Kerberos main goal is to make a simple secure authentication process through– Single Sign On Access– By using a secret key that is never
transferred over any network.
Kerberos
• Kerberos uses a trusted third party, the Key Distribution Center, and has three major parts to contribute to its success.– Authentication Server (AS)
• Authenticates Server to Client
– Ticket Granting Server (TGS)• Provides extra protection so the user password
is only entered once
– Service Server (SS)• Allows client to access service.
A Visual Representation
Application Server
-User enters in user name and password
-Request is sent to AS requesting services
-AS checks database for user
-AS returns a random key with service name, and users long term key
-Calls the Ticket Granting Server
Ticket Granting Server
• Generates an initial ticket or a Ticket Granting Ticket (TGT) for the user.– The session for the TGT is encrypted using the
users long term key. Now that the user has a TGT the user will not need
their password again, instead they will just have to contact AS for a ticket but will never need to call the TGS again.
The Service Server
• Takes in the user’s encrypted session key (called the authenticator), and the ticket.
• The service server then decrypts the session key with it’s long term key.
• The authentication from the user to the service is now completed
Advantages
• Password is never sent over the network• In order to gain access the ticket, and the
authenticator are both needed, so if the ticket is stolen, it can not be used on its own.
• Kerberos is widely used by programmers, cryptologist, and security experts, so if there is any weakness in the process, it is found and fixed quickly.
• Kerberos is freely available from MIT
Disadvantages
• The once considered “unbreakable” DES algorithm that Kerberos uses, is now believed to be able to be cracked.
• Being that Kerberos uses the Key Distribution Center, if someone gains administrative access to the KDC, then they have just gained access to the entire Kerberos system.
• Kerberos was only created for a single user system, in the case of a multi-user system it becomes highly vulnerable.
• In the case of using a UNIX based operating system it is a very tedious process to transfer password from a UNIX database to a Kerberos database.
IPSec
• What is IPSec?– Protocol used with IP to deliver data
privacy, integrity, authenticity, and anti-replay protection
– Devices must share a ‘public key’– Allows the implementation of VPNs
(Virtual Private Networks)– Has two different types of modes
• Tunnel• Transport
IPSec
VPN
• Virtual Private Networks are established by using the IPSec protocol to provide only authorized access to a network
Networks
• When setting up networks, it is important to apply the security features that IPSec has to make the network more secure
Transport Mode
• Used for LANs
• Sending UDPs (User Datagram Protocol)
• Header is not encrypted, only payload
Tunnel Mode
• Used for large networks
• Allows a ‘tunnel’ to be created between a host or network and a user
• Entire IP packet is encapsulated into a new packet (including header)
Transport vs. Tunnel Modes
• Transport Mode– Encrypts just the payload
• Tunnel Mode– Encrypts the entire IP Packet
Security Provided• Provides
authentication of another user over the network
• Encrypting traffic sent and received
• Integrity validation for unmodified packets
• Anti-Replay, for session looping
Strengths
• Provided the first security for the IP datagram
• Best available IP security protocol• Low cost for extra security• Reduces congestion at Hubs due to
VPN tunneling
Weaknesses
• Too much flexibility– Ambiguities in definitions– Multiple ways to invoke functions
• Main algorithm involved DES (Data Encryption Standard) has finite amount of encryptions
Internet Key Exchange
Internet Key Exchange
• Why IKE?– Network vulnerability– Inadequacy of previous methods– Satisfy level 3 of OSI model
• Combination of Older Security Methods– ISAKMP– Oakley– SKEME
IKE Diagram
• Two Step Implementation– One: Encapsulate/Encryption of Header, Authentication– Two: Manage Information Using Predefined Protocol
Message Transfer Main Mode
Abbreviation definitions:· i = initiator· r = responder· hdr = ISAKMP Header· hdrc = ISAKMP Header followed by encrypted payloads· sa = security association payload· ke = key exchange payload· nonce = nonce payload· id = identification payload· hash = hash payload
Message Transfer Aggressive/Quick Modes
Advantages of IKE
• Excellent for Peer-to-Peer Transfer Security
• Encryption Ensures Only Sender/Receiver Have Access
Disadvantages of IKE
• Unable to Secure Large Scale Traffic• Users Not Required to Identify
Selves– Creates Uncertainty and Security
Vulnerabilities
Questions?
