Internet Security for Java

9/23/2003 http://www.emrt.com

©2003 by Steve Kapp, all rights reserved

Internet Security for Java

Steve Kapp

Chief Technologist, EMRT [email protected]

9/23/2003EMRT Consultants

http://www.emrt.com 2


Agenda

Internet Security Basics What is it? What are the building blocks? JCA/JCE

Protocols SSL/TLS JSSE

Authentication JAAS




What is Internet Security?

A set of network services for: Safely transmitting data across the

network Establishing trust relationships

Each product must determine what security threats exist for that product Network protocols Customer deployment environment Value of data




Why Secure at All?

Due diligence during design Reduces potential failure modes Reduces access

Threat mitigationMarketing device




Misuse Cases

Use case for actor with hostile intentTwo goals: Elicit security requirements Plan mitigation strategy

Set invalidtime

Rogue NTP server @stratum 1

NTP server @ stratum

3

Set system clock

Synchronize w/

lower stratum

Authenticatelower stratum

Threatens

Includes

Mitigates




IP Reference Model

Physical 1

Data Link

Network

Transport

Session

Presentation

Application

2

3

4

5

6

7

Link

Internet

Transport

Application

Frame

Packet

Segment

Message

Physical

OSI StackIP Stack




Where is Security???

Traditionally left to application layers

OR

Not dealt with at all




The Risks: Poor Passwords

User name: jsmithPassword: sunset




The Risks: Open Ports

Any open port is a risk Most notably telnet, FTP, NetBIOS, or

one of the well-known port numbers Exploit buffer overruns

Block any ports not absolutely needed




The Risks: Buffer Overrun“An attack in which a malicious user exploits an unchecked

buffer in a program and overwrites the program code with their own data. If the program code is overwritten with new executable code, the effect is to change the programs operation as dictated by the attacker. If overwritten with other data, the likely effect is to cause the program to crash.“ - from Microsoft’s web site

Len = 300;Buffer[0] = 10;Buffer[1] = 20;Buffer[2] = 30;Buffer[3] = 40;




The Risks: Eavesdropping

Passive attack




The Risks: Masquerade



©2003 by Steve Kapp, all rights reservedThe Risks: Man-in-the-Middle



©2003 by Steve Kapp, all rights reservedThe Risks: Packet Forgery/Alteration

“DEF”

“ABC”

Active attack




The Risks: Replay

“ABC”

“ABC”

“ABC”

“ABC”

“ABC”




The Risks: Denial of Service

DOS

DistributedDOS




Think Bad Guys Don’t Exist?…

204.210.11.26 - - [18/Jun/2002:07:05:06 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284

204.210.11.26 - - [18/Jun/2002:07:05:08 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282

204.210.11.26 - - [18/Jun/2002:07:05:10 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

204.210.11.26 - - [18/Jun/2002:07:05:12 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

204.210.11.26 - - [18/Jun/2002:07:05:14 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

204.210.11.26 - - [18/Jun/2002:07:05:16 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323

204.210.11.26 - - [18/Jun/2002:07:05:18 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323

204.210.11.26 - - [18/Jun/2002:07:05:22 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

204.210.11.26 - - [18/Jun/2002:07:05:25 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

204.210.11.26 - - [18/Jun/2002:07:05:27 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

…

from the access log of my personal web server

McAfee Firewall blocked an incoming UDP packet. The remote address associated with the traffic was 212.205.240.117. The remote port was 1030 [ephemeral]. The local port on your PC was 137 [NetBIOS]. The network adapter for the traffic was "3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)". The binary data contained in the packet was "00 06 5b d4 c3 84 08 00 3e 19 30 e5 08 00 45 00 00 4e bd 70 00 00 6e 11 a3 42 d4 cd f0 75 18 5d 0e 4c 04 06 00 89 00 3a cf b5 01 00 00 10 00 01 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ".

from the access log of McAfee Firewall




Trust Pyramid

Integrity Authentication

Non-Repudiation

Confidentiality

AuthorizationIncreasing

Level ofTrust




Building Blocks

Encryption algorithms (ciphers)Random number generationMessage digestsDigital signaturesPublic-key infrastructureCertificates




Encryption

Guarantees confidentiality of data sent over the wireProvide protection against passive attacksPlaintext -> ciphertext -> plaintextSymmetric encryption Nodes share secret key

Asymmetric encryption (e.g. public-key) Nodes do not share a secret key




Symmetric Encryption

Original Information


EncryptionAlgorithm

DecryptionAlgorithm

Ciphertext

Shared Secret Key

Bob

PlaintextPlaintext

Alice




Symmetric Encryption (2)

DES, 3DES, AES, RC4Advantages Generally much faster than

asymmetric encryption Conceptually simple

Disadvantages Key distribution!!!




Public-Key Encryption



EncryptionAlgorithm

DecryptionAlgorithm

Ciphertext

Alice’sPrivate

Key

PlaintextPlaintext

Alice’sPublic

KeyBob Alice




Public-Key Encryption (2)

RSA, ECCAdvantages Partially solves the key distribution problem

Disadvantages Introduces other key management issues Much slower than symmetric key

encryption Generally combined with symmetric encryption



©2003 by Steve Kapp, all rights reservedRandom Number Generation

Random number generation is used to produce unguessable keys Keys must be unguessable!!!

Strength of cipher depends upon: Secrecy of key Length of key Cipher algorithm




Message Digests

Guarantees integrity of data sent over the wireProvide protection against active attacksUsed to calculate MACs Secure version of a checksum Secret key included in one-way function

SHA-1, MD5




Authentication via MACs



MACAlgorithm

MACAlgorithm

PlaintextPlaintext

Bob Alice

Shared Secret Key

Original Data + MAC



©2003 by Steve Kapp, all rights reservedDigital Signatures with Public Keys



EncryptionAlgorithm

DecryptionAlgorithm

Original Data + Signature

Bob’sPublic

Key

PlaintextPlaintext

Bob’sPrivate

KeyBob Alice




Key Exchange

How do Alice and Bob share a secret key?Static or dynamic methodsDiffie-Hellman key agreement

Alice Bob

X (= gA mod n) where A is random

Y (= gB mod n) where B is random

1.

2.

3.

4.

a priori agreement on n and g, such that g is primitive root mod n

K = YX mod n

K’ = XY mod n

where K = K’ = gAB mod n



©2003 by Steve Kapp, all rights reservedPublic-Key Infrastructure (PKI)

Certificate authorities (CA) validate identity of public-key holder This involves money changing hands

Certificate authorities issue certificates Certificates are digitally signed by the CA X.509 used by TLS, IPSec, S/MIME Certificates have a lifetime

Trust relationship is a tree model



©2003 by Steve Kapp, all rights reservedX.509 Certificate Processing

Root CA

CA

CA CA

CA

VersionSerial NumberSignature AlgorithmIssuer NamePeriod of ValiditySubject NameSubject Public KeyIssuer Unique IDSubject Unique IDExtensionsSignature

YourDevice

providescertificate

NetworkNode

vouches for

CA CAvouches for vouches for

CA…

………

trusts

signed by

X.509 Certificate




PKI Limitations

Updating trusted root authoritiesCertificate distribution LDAP is frequently used

Certificate verification Certificate revocation lists (CRLs) Online Certificate Status Protocol (OCSP)

Shifts burden to a separate server

Key archival




JCA

Java Cryptography Architecture Framework for accessing, developing, and plugging in cryptographic services Encryption Key generation and agreement Digital signatures Message digests and MACs Secure streams Sealed objects



©2003 by Steve Kapp, all rights reservedProvider and Security Classes

Provider Encapsulates a service provider Provides cryptographic services

Security Maintains lists of Provider objects

Adds or removes Providers List is in preference order

Manages system-wide security properties

Default “SUN” Provider class Message digests with MD5, SHA1 Digital signatures with DSA Certificate support (X.509) Key management Random number generation via SHA-1




JCE

Java Cryptography ExtensionSeparated because of export restrictionsNew services for: Encryption Key generation and agreement MACs Secure streams Sealed objects




JCE (2)

DES, 3DES, AES, BlowfishPassword-based encryption with DES/3DESDiffie-Hellman amongst multiple partiesHMAC with MD5, SHA1

But no public-key encryption




Cryptix Library

Many more algorithms RSA!! RC4, RC5, RC6

No export restrictions




Questions




SSL/TLS

Secure Sockets Layer (v. 2.0, 3.0)Transport Layer Security (v. 3.1)Provides transport layer security for applicationsMust run over reliable protocol (e.g. TCP)Features include

Algorithm negotiation Encryption/decryption MACs Key exchange

IP

SSL / TLS

UDPTCP

HTTP SMTP Application Protocol




TLS Communication Scenario

Internet

Client C

Server

Client A

Client B




TLS WorkflowApplication Data

1. Fragment

2. Compress

3. Add MAC

4. Encrypt

5. Add Header




Client Server

TLS Session Initiation with RSA

Client Hello (version, random numbers, supported MAC/compression/cipher suite)1.

Suggested that first 4 bytes of random value include timestamp




Client Server

TLS Session Initiation with RSA (2)

Client Hello (version, random numbers, supported MAC/compression/cipher suite)

Server Hello (version, random numbers, session ID, MAC/compression/cipher suite)

Server Certificate (X.509, including server’s public key)

Server Hello Done

1.

2.

3.

4.




Client Server





Server Hello Done

Client Key Exchange (encrypted premaster secret)

Change Cipher Spec

Finished

1.

2.

3.

4.

5.

6.

7.

Major Version (1) Minor Version (1) Random (46)

Encrypted with the public key of the server

Encrypted with the client write key, authenticated with client MAC key




Client Server





Server Hello Done


Change Cipher Spec

Finished

Change Cipher Spec

Finished

1.

2.

3.

4.

5.

6.

7.

8.

9.

Write State

Read State

Read State

Write State

Encrypted with the server write key, authenticated with server MAC key




Client Server





Server Hello Done


Change Cipher Spec

Finished

Change Cipher Spec

Finished

Application Data

1.

2.

3.

4.

5.

6.

7.

8.

9.

Application Data10.

11.




Client Server





Server Hello Done


Change Cipher Spec

Finished

Change Cipher Spec

Finished

Application Data

Alert (warning, close notify)

1.

2.

3.

4.

5.

6.

7.

8.

9.

Application Data10.

11.

12.




Client Server

TLS with Client Authentication



Certificate Request


Change Cipher Spec

Finished

Change Cipher Spec

Finished

1.

2.

3.

4.

6.

7.

8.

10.

11.

9.

Server Hello Done5.

Client Certificate


Application Data

Alert (warning, close notify)

Application Data12.

13.

14.




JSSE

Java Secure Sockets ExtensionWrapper around TLS and SSL protocolsRemember: Server always authenticates

Mechanism to update server certificates Client may authenticate




JSSE Client Code

SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();SSLSocket socket = (SSLSocket)factory.createSocket("www.verisign.com", 443);

socket.startHandshake(); // Optional !!!

PrintWriter out = new PrintWriter(new BufferedWriter(new

OutputStreamWriter(socket.getOutputStream())));out.println("GET http://www.verisign.com/index.html HTTP/1.1");out.println(); out.flush();

BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));

String inputLine;while ((inputLine = in.readLine()) != null) System.out.println(inputLine);

in.close(); out.close(); socket.close();

* From the javasoft web site




JSSE Server Code

KeyStore ks = KeyStore.getInstance("JKS");char[] passphrase = "passphrase".toCharArray();ks.load(new FileInputStream("testkeys"), passphrase);

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");kmf.init(ks, passphrase);

SSLContext ctx = SSLContext.getInstance("TLS");KeyManager[] km = kmf.getKeyManagers();ctx.init(km, null, null);

SSLServerSocketFactory ssf = ctx.getServerSocketFactory();SSLServerSocket ss = (SSLServerSocket)ssf.createServerSocket(port);

ss.setNeedsClientAuth(true); // Optional

while (true) { SSLSocket client = ss.accept(); MyHandler handlerThread = new MyHandler(client); handlerThread.start();}





JAAS

Java Authentication & Authorization ServiceWrapper around Pluggable Authentication Module frameworkTwo goals: Authenticate local users Authorization of access to services

Several protocols in SUN provider UNIX, Kerberos, WinNT, Keystore…




Permission Model

JDK1.2 Code-based

Where did it come from? Was it signed? Do we trust the signer?

JAAS Principal based User-, group-, and role-based authorization




JAAS Major Classes

Subject Set of Principal objects (identities) Set of public and private credential

objects

LoginContextLoginModuleCallbackHandlerCallback




Login Code

LoginContext lc;try { lc = new LoginContext("Sample", new Subject(), new MyCallbackHandler()); } catch (LoginException le) {System.exit(-1); } catch (SecurityException se) { System.exit(-1); }

int i; for (i = 0; i < 3; i++) { try { lc.login(); break; } catch (LoginException le) { Thread.currentThread().sleep(3000); }}if (i == 3) { System.exit(-1);}

// Do something;lc.logout();


Works in two phasesControlled by config file




Callback Codeclass MyCallbackHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof TextOutputCallback) { TextOutputCallback toc = (TextOutputCallback)callbacks[i]; System.out.println(toc.getMessage()); } else if (callbacks[i] instanceof NameCallback) { NameCallback nc = (NameCallback)callbacks[i]; System.err.print(nc.getPrompt()); System.err.flush(); nc.setName((new BufferedReader(new InputStreamReader(System.in))).readLine()); } else if (callbacks[i] instanceof PasswordCallback) { PasswordCallback pc = (PasswordCallback)callbacks[i]; System.err.print(pc.getPrompt()); System.err.flush(); pc.setPassword(readPassword(System.in)); } } }}





Authentication Config File

Sample { sample.module.SampleLoginModule required debug=true; };


From jaas.config

• Sufficient• Requisite• Required• Optional




Authorization

Principal-centric, not Subject-centricThree steps required Subject must be authenticated Security policy must be configured for

Principals Subject must be associated with

AccessControlContext object (perhaps the current one)




Executing Privileged Code// After the Subject has been authenticated.Subject subject = lc.getSubject();Subject.doAs(subject, new LogAction());//AccessControllerContext aContext = AccessController.getContext();//Subject.doAsPrivileged(subject, new LogAction(), aContext);

public class LogAction implements PrivilegedAction { public Object run() { // Do something of interest… return null; }}





Security Policy File

grant codebase "file:./SampleAction.jar", Principal sample.principal.SamplePrincipal "testUser" { permission java.io.FilePermission “logFile.txt", “write"; permission java.io.FilePermission “lastLogFile.txt", “read"; };





ReferencesJava Security Handbook, Jamie Jaworski and Paul J. Perrone, SAMS, 2000Network Security: PRIVATE Communication in a PUBLIC World, 2nd ed., Charlie Kaufmann, Radia Perlman, Mike Speciner, Prentice Hall, 2002Network Security Essentials, Applications and Standard, William Stallings, Prentice Hall, 2000SSL and TLS, Designing and Building Secure Systems, Eric Rescorda, Addison Wesley, 2001HTTP Essentials, Protocols for Secure, Scaleable Web Sites, Stephen Thomas, John Wiley and Sons, 2001Applied Cryptography, Bruce Schneier, John Wiley & Sons, 1996Handbook of Applied Cryptography

http://www.cacr.math.uwaterloo.ca/hac/

“Misuse Cases: Use Cases with Hostile Intent”, Ian Alexander, IEEE Software, January/February 2003




References (2)Java Cryptography Architecture

http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html

Java Cryptography Extensionhttp://java.sun.com/products/jce/index-14.html

Java Secure Sockets Extensionhttp://java.sun.com/products/jsse/index-14.html

Java Authentication and Authorization Servicehttp://java.sun.com/products/jaas/index-14.html

Cryptix Libraryhttp://www.cryptix.org

Wedgetail Libraryhttp://www.wedgetail.com/jcsi/provider/

Official Kerberos Web Sitehttp://web.mit.edu/kerberos/www/

IETF web sitehttp://www.ietf.org

Author’s web sitehttp://www.stevekapp.net/index.html




Questions

Documents

Internet Security for Java