Upload
barbra-newman
View
223
Download
2
Tags:
Embed Size (px)
Citation preview
Network Security Primer
Brett HowardSecurity Research and Innovation
Indocrypt 2002 Tutorial
Hyderabad, India
Networking concepts OSI and TCP/IP stacks IP basics routing
Security definition availability and penetration
denial of service hacking viruses/worms buffer overflows
information attacks confidentiality integrity authentication
versus the network stack
Agenda
VPNs intent need for security
IPSec standard overview IKE extensions
Authentication PKIs authentication example
Identities and Authorization Standards survey
SSL, SSH, RADIUS, SNMP, … Final thoughts…
Digital Networks
The Network
Layered – why? separates functions hides technology choices
emails or web traffic can be carried as easily by 48 kbit/s dial-up as by OC48
Application
Presentation
Session
Transport
Network
Link
Physical
Stacks Open System Interconnection (OSI)
ISO standard around 1978 7 layers
Transport Control Protocol / Internet Protocol (TCP/IP) ARPA circa 1974 4-5 layers
Network Stacks – OSI model
Application
Presentation
Session
Transport
Network
Link
Physical
OSI Model
Network Stacks – Physical layer
OSI Model
Transport
Presentation
Application
Network
Link
Physical
Session
The physical medium used to transmit the information
- physical properties
- mechanical properties
- electrical/optical properties
- functional transmission aspects
Network Stacks – Link layer
OSI Model
Transport
Presentation
Application
Network
Session
Physical
Link
Handles transmission of a framed set of data from one node in a network to another
- transmission protocol
Network Stacks – Network Layer
OSI Model
Transport
Presentation
Application
Link
Session
Physical
Network
Concerned with end-machine (host) to end-machine transmission
-non-reliable
-packet oriented
Network Stacks – Transport Layer
OSI Model
Presentation
Application
Network
Link
Session
Physical
Transport
End-to-end transmission of data blocks
- adds reliability
Network Stacks – Session layer
OSI Model
Transport
Presentation
Application
Network
Link
Physical
Session
Buffer and data-flow management
- QoS issues
Network Stacks – Presentation layer
OSI Model
Transport
Application
Network
Link
Session
Physical
Presentation
Translation message syntax for the application
-more like a set of interpretation libraries (file formats etc.)
Network Stacks – Application layer
OSI Model
Transport
Presentation
Network
Link
Session
Physical
ApplicationThe user of network services – final end applications such as file-transfer or mail
Network Stacks
Application
Presentation
Session
Transport
Network
Link
Physical
OSI Model
Application
Transport
Network
Link
Physical
TCP/IP Model
Network Stacks
web (http), email (smtp), telnet, ftp, …
TCP, UDP
IPv4
Ethernet, X.25 LAPB, T1/E1, OC48,…
Application
Transport
Network
Link
Physical
TCP/IP Model
twisted-pair, fiber, wireless, …
Physical/Link Layer
Application
Transport
Network
Link
Physical
TCP/IP Model Link Layer concerned with the transport of raw
data hop-by-hop
“bridge” level
coupled with physical, also referred to as Media Access (MAC)
can be in packets/frames/cells or just streams of bits
usually few guarantees of reliability
many technology choices depending on network regions
Link Layer – LAN
Priorities simple, cheap, relatively fast security deemed important since traditionally local
Examples Ethernet (10BaseT, 100BaseT, GigE, …) Token-Ring Wireless LAN
not really so local anymore more on this later…
Link Layer – Access Private leased-line
Time-Division Multiplexed 8000 frames/s
T1: 24 channels x 8 bits + 1 frame bit = 1.544 Mbits/s E1: 32 channels x 8 bits = 2 Mbits/s
T3 = 28 x T1 (43 Mbits/s) E3 = 16 x E1 (34 Mbits/s)
frame-relay ISDN
modem DSL Cable
Link Layer – Core
Optical Synchronous Optical Network (SONET)
Optical Carrier levels OCn at n x 51.84 Mbits/s OC3 = 155.52 Mbits/s (used as baseline for ATM)
Asynchronous Transfer Mode (ATM) small cells (53 bytes) fast “routing”
Passive Optical Network (PON) limited range but cheap fiber to the curb or home also ATM over PON (APON)
favoured by Telcos
Link Layer – Wireless
Used for Access and LAN
Access (Fixed Wireless) 802.16 LMDS (Local Multipoint Distribution System)
LAN 802.11x
a 54 MBits/s b 11 MBits/s g 22 MBits/s (compatible with b)
BlueTooth 1 MBits/s
Network Layer
Application
Transport
Link
Physical
TCP/IP Model Network Layer concerned with delivering data
from host-to-host (machine-to-machine)
connectionless
“router” level
may cross diverse Link layers
still lacks any notion of reliability
Internet Protocol (IPv4) for the sake of this presentation, but also
X.25’s PLP Novell IPX
Network
A quick look at the Internet Protocol v4
IP address (version 4) 32-bit number
format often in dotted decimal notation of 4 octets example: 12.5.122.188
three classes A: [1126].0.0.0 (224 hosts per subnet) B: [128191].x.0.0 (214 hosts each) C: [192223].x.y.0 (28 hosts each)
these can be further subdivided into subnets running out of addresses! (NAT)
domain name represents an address Domain Name Server (DNS) allow address lookup for example: this conference www.isical.ac.in/~indocrypt
202.54.54.145
Transport Layer
Application
Link
Physical
TCP/IP Model Transport Layer concerned transport of data from
application to application
“gateway” level
for the sake of this presentation, two options:
UDP: connectionless / unreliable TCP: connection / reliable
typically applications are tagged using ports
Network
Transport
TCP / UDP Goals
TCP and UDP multiplexing among programs
TCP data segmented into datagrams for IP
up to 64 000 octets (bytes) each reliable transport
checksum all data [eventually] is received correctly sequencing and ordering intelligent windowing using sequence numbers
handshake
Transport Control Protocol
Three-message handshake for initiation
[SYN SeqNo=X]
[ACK Y+1]
[SYN SeqNo=Y | ACK=X+1]
Initiator Responder
X and Y are chosen randomly
or at least, they are supposed to be… oops!
half-open connection
open connection
TCP / UDP Ports
Allows multiplexing of users and applications from a single host
Some pre-defined destination ports FTP 21 and 20 telnet 23 SMTP 25 http 80 POP3 110
Source ports can be created on the fly
Application Layer
Link
Physical
TCP/IP Model Application Layer network resource user
handles some of the functions associated with OSI’s Session and Presentation layers
email: SMTP
Web: httpNetwork
Transport
Application
TCP / IP Basics - interconnect
Hubs a hub (concentrator) connects a number of network cables to a Network. network connections on a hub share a single “collision domain”.
Bridges a bridge divides a LAN into layer-2 segments and typically learns topology
Switches a switch is similar to a hub, except it adds intelligence and a high-
performance backplane to allow multiple connections to appear as dedicated (and so, do not share a collision domain
Routers
Connectivity and forwarding at the IP level
When a packet is destined to a host which is not on the local subnet, then it is forwarded by the appropriate router
hop-by-hop IP source and destination addresses stay constant layer-2 addresses change
Maintain routing tables routers inter-communicate and share routing info using routing
protocols OSPF, RIP, BGP, EGP, …
Network Address Translation
Motivation as mentioned, we are running out of addresses adds an element of security by obscuring internal network
Can be one-to-one one-to-many (Port Address Translation)
Port Address Translation
all internal addresses are mapped to a single external address internal addresses may be from a pool of non-registered
IP addresses (10.0.0.0 or 192.168.0.0 for example)
TCP connections are initiated internally
for the first outbound packet a new random source port is invented the source address is replaced by external address the correspondence is maintained for return packets
201.7.2.34
21.87.9.2
10.17.8.4
PAT Example
PATG/W
server
Src:
Dst:
IP
10.17.8.4
201.7.2.34
Port
8771
80
Corporate LAN: 10.0.0.0
Src:
Dst:
IP
21.87.9.2
201.7.2.34
Port
9231
80
9231 = 10.17.8.4/ 8771
201.7.2.34
21.87.9.2
10.17.8.4
PAT Example
PATG/W
server
Corporate LAN: 10.0.0.0
Src:
Dst:
IP
201.7.2.34
21.87.9.2
Port
80
9231
9231 = 10.17.8.4/ 8771
Src:
Dst:
IP
201.7.2.34
10.17.8.4
Port
80
8771
Network Security
Network Security
What do we mean?
“Broadly speaking, security is keeping anyone from doing things you do not want them to do to, with, or from your
computers or any peripherals”
-William R. Cheswick
Network Security
Protection of resources from network-based attacks data as it traverses the network
Network Security
Protection of resources from network-based attacks
hacking trojans worms / virsuses DoS
data as it traverses the network
Resource Attacks
Resource Attacks - DoS
Flood Simple Flood
UDP or ICMP
Smurf An attacker sends forged ICMP echo packets to broadcast
addresses of vulnerable networks. All the systems on these networks reply to the victim with ICMP echo replies.
Syn Flood IP stacks are often implemented with large numbers of possible
connections, but small number of half-open connections; flooding with enough TCP SYNs (but no FINs) can make a stack unusable.
Resource Attacks – DoS
Distributed DoS (DDOS) more sophisticated forms of flooding attack control Zombies to flood victims
Examples Trinoo Tribe Flood Network Stacheldraht (barbed wire)
Resource Attacks – DoS
Logic General class of attacks which take advantage of known logic/code
errors – ie. implementations
Studies have shown > 1 bug / KLoC Win2K has 40 MLoC which maps to > 30 Kbugs! other OSs don’t fair much better
Several classes and corresponding exploits bounds checking
Buffer Overflow data overwrite in extreme cases, attacker can place rogue code which is executed and
take over the machine or leave a permanent Trojan input sanity checking general bugs
Bounds Checking examples
Ping of Death huge ICMP echo requests
Teardrop fragments that cannot be re-assembled properly
Land same source and destination IP confuses some implementations to the point of crashing
Resource Attacks - parsing
Microsoft Internet Information Server (IIS) "../.." attack first in 1996 %2f ('/ ') attack first 1997 %2w (invalid hex code, interpreted as %2f) in 1999 %c1% 1c (unicode for '/ ') in 2000 %252f ('%'2f) in 2001
mycompany.com web server
www.mycompany.com
Resource Attacks - Protocol
Any class of attacks that exploit weaknesses in a networking protocol
Example (TCP weakness) Blind Spoofing (or Sequence Number) Attack
if an attacker can predict sequence number (insight into pseudo-RNG) then a blind packet with spoofed IP source can be damaging
Mitnick allegedly used against Shimomura also points to an authentication problem…
Worms and Viruses
Viruses depend on a host program, worms do not viruses are spread by a host worms can gnaw through a network independently
Examples: Mass Mailer
Melissa AnnaKournikova ILoveYou
Code Red IIS buffer overflow allows trojan horse worm spreads by finding other victims (somewhat randomly)
NIMDA piggy-backed on Code Red’s victims! plus mass-mailer techniques (two varieties) plus search for open shares
Resource attack protection
Firewalls
IDS
Anti-virus
better code!
better testing!
third-party validation
Third-Party Validations
Industry
Standards Orange Book FIPS 140 Common Criteria
Validation Standards – Orange Book
Originally conceived for Operating Systems
Levels A1 - proven security B3 - minimized TCB
Wang DTS B2 - structured security B1 - mandatory access control
trusted AIX, Zos, Solaris, Irix, Linux C2 - discretionary access control
AIX, Win2K, Linux C1 - no real security
Win9x, others D
user manual?
Now replaced by the Common Criteria
Validation Standards – FIPS 140
US National Institute of Standards and Technology
Designed for security modules
DataInputs
DataOutputs
StateMachine
FIPSCrypto
Self Test
Key Storage
ActiveZeroize
OperatorInterface
Validation Standards – FIPS 140
Cryptographic module design, Module interface, Roles and services, Finite state machine model, Physical security, Software security, Operating system security, Cryptographic key management, Cryptographic algorithms, EMI / EMC, Self Tests
A profile is created for each area with a rating 1-4 on each overall rating is the minimum
Validation Standards – Common Criteria
Large international consortium
Basically shows that a product is designed to meet whatever security profile you choose
Overall Evaluation Assurance Level EAL 1..7 can be very expensive, especially for the higher levels
Network Security
Protection of resources from network-based attacks
hacking trojans worms / virsuses DoS
data as it traverses the network
Data Security Concepts Overview
Information Security
Confidentiality / Encryption
Integrity / Message Digests
Authentication / Digital Signatures
Confidentiality
Keeping data secret from all except the intended viewers
Traditional Encryption systems: DES, 3-DES, IDEA, FEAL, CAST, RC5, AES
“Symmetric” ciphers same key used to encrypt and decrypt
Secret Key Encryption - Symmetric Key
Same key encrypts as decrypts
Examples: DES, 3-DES, RC5, IDEA, CAST
DESKey
Data In
Data OutEnc
DESKey
Data In
Data OutDec
Issue: Keys have to be the same
Key Management
=
DESKey
Data In
Data OutEnc
DESKey
Data In
Data OutDec
Secret Key Encryption - Symmetric Key
Integrity
Keeping information intact and free from modification
Message Digesting systems: MD2, MD4, MD5, SHA-1, RIPEM
Allows detection of modification behaving like a strong cryptographic CRC
crypto checksumcrypto checksum examples: MDexamples: MDxx, SHA-1, RIPEM, SHA-1, RIPEM
Message Digests (Integrity)Message Digests (Integrity)
MD5
Message
Digest
MD5
Digest
Message
=?
how do we send the digest reliably?how do we send the digest reliably? keyed hashing (ex: Krawczyk’s HMAC)keyed hashing (ex: Krawczyk’s HMAC) sign the digest sign the digest
Or
Authentication
Verifies the origin of information
Digital Signature systems: examples:
RSA DSA
Use “asymmetric” keying systems private key signs public key verifies
Sign and Verify
DSAsign
Message or File
Private Key
Signature
DSAsign
Message or File
Private Key
Signature
DSAverify
Message or File
Public Key
Signature
Sign and Verify
DSAverify
Message or File
Public Key
Signature
GoodGood
BadBad
Sign and Verify
Alice Bob
=
KeyAgreement
I
KeyAgreement
I
KeyAgreement
II
KeyAgreement
II
Session Key
Session Key
Key Agreement
Network Stacks – security?
Application
Transport
Network
Link
Physical
TCP/IP Model
But where to put
security?}
Security at the Physical Layer
Application
Transport
Network
TCP/IP Model Physical Layer? some regard certain technology
choices as inherently secure optical fiber spread-spectrum
claims are questionable
benefits are also questionable since we usually are looking at security end-to-end
few real examples of a secure physical layer
maybe quantum crypto?
Link
Physical
Security at the Link Layer
Application
Transport
Network
TCP/IP Model Link Layer
Physical
Link
many examples exist
less useful for similar reasons as physical layer: not end-to-end
examples: T1/E1 link encryptors modem encryptors frame relay link encryptors ATM encryption 802.11x
Wired Equivalent Privacy (WEP)
802.11x Wired Equivalency Protocol
Interesting (infamous) example
Good idea add security back to the air link
Good technology 64-156 bit RC4 encryption
Bad implementation integrity via encrypted CRC from stream cipher re-use of IVs authentication uses encrypted challenge
challenge in the clear encrypted using XOR! we no longer need shared secret, we have the pseudo-random stream
Security at the Network Layer
Application
Transport
Link
Physical
TCP/IP Model Network Layer very good choice for many applications
independent of transport invisible to the application host-to-host VPNs more on this later…
drawbacks no link to application no link to user more on this later too!
examples IPsec
Network
Security at the Transport Layer
Application
Link
Physical
TCP/IP Model Transport Layer also good choice
end-to-end independent of transport [can be] invisible to the application
drawbacks where do we link it?
UDP? TCP? if both, then why not Network Layer?
examples SSL/TLS
well, sort of… Kyberpass
Network
Transport
Security at the Application Layer
Link
Physical
TCP/IP Model Application Layer good choice for peer-to-peer
strongest binding to the operator
drawbacks different solution for each application
examples S/MIME PGP (and PGP/MIME) https
Network
Transport
Application
Internet and VPNs
What is a VPN?
Solutions for interconnectiong regionally dispersed networks via public networks
Main elements: tunneling security (SVPN)
Connections through Internet are “virtually private” and appear as transparent as a router
Internet
Secure
Unsecure
InternetPOP
InternetRemote Access
Low-cost, worldwide access for mobile users and telecommuters via ISPs
Intranet
Flexible, low-cost virtual leased line branch office connectivity
Extranet
Multiple company commerce for customers, suppliers, and partners
Corporate LAN
Secure VPN Solution Overview
Internet
One worldwide global network
One worldwide internetworking communications standard: IP
High reliability
Issues: legacy systems QoS security
IETF: IPSec
IPSec Standards
Internet Engineering Task Force (IETF) Working Group
Offers protocols for: IP security tunneling
IPSec Standards
IP network layer security services covers three main elements:
encryption and integrity of data ESP/AH
negotiate keys and security mechanism IKE (formerly ISAKMP/Oakley)
tunnel private addresses over public networks
unsecuredunsecurednetworknetwork
applications
TCP / UDP
IP
Ethernet / PPP
IPSec
IP
applications
TCP / UDP
IP
Ethernet / PPP
IPSec
IP
1IKE (formerly ISAKMP/Oakley)
2
ESP/AH
3
4
IPSec In Action
ESP/AH
Authentication Header (AH) rfc 2402 protocol 51 data integrity including IP headers
HMAC-MD5, HMAC-SHA-1, ... replay protection via sequence number
Encapsulating Security Payload (ESP) rfc 2406 protocol 50 data confidentiality
DES, 3DES, RC5, CAST, Blowfish, IDEA data integrity
encrypt then perform MD
ESP/AH: Tunneling versus Transport
Transport encrypt packets and leave header (mostly) intact useful for
LAN security another tunneling protocol (L2TP for example)
Tunneling encrypt entire IP packet and encapsulate larger packet (two IP headers) ideal for VPNs
Tunneling in action
Dial-in Client
Data Centre
R & D
Router
10.7.1.1
RAS
10.1.2.6
<10.1.0.0>
<10.3.0.0>
<10.7.0.0>
10.7.1.1 10.1.2.6 payloadIP
PPP
Tunneling in actionR & D
RAS
<10.3.0.0>
<53.72.0.0>
InternetInternet
POP
10.7.1.1 10.1.2.6 payloadIP
Dial-in Client
10.7.1.1
Data Centre
10.1.2.6
<10.1.0.0>
53.72.8.4 27.8.6.9IP IPSec
VPN Gateway 27.14.1.22
VPN Gateway 27.72.8.4
53.72.8.4
Security Associations
Defines the security relationship
A set of policies and keys used to protect information
SA is uniquely identified by Security Parameter Index (SPI) and Destination IP Address
Security Association Parameters:
AH authentication algorithm and keys
ESP encryption algorithms, mode and keys
IV field attributes (presence/absence, size)
Key lifetime
SA lifetime
AH Transport Mode
Next HdrNext Hdr Payload LenPayload Len RsrvRsrv SPISPI Keyed HashKeyed Hash
minus mutable fields in IP: TOS, flags, fragment #, TTL, checksum
Seq#Seq#
24 bytes total
IP Head Head data
IP Head AH Head Head data
Integrity Hash Coverage
TCPUDP
TCPUDP
AH Tunnel Mode
24 bytes total
IP Head Head data
IP Head dataIP Head AH Head
Next HdrNext Hdr Payload LenPayload Len RsrvRsrv SPISPI Keyed HashKeyed HashSeq#Seq#
TCPUDP
HeadTCPUDP
minus mutable fields in IP: TOS, flags, fragment #, TTL, checksumIntegrity Hash Coverage
ESP Transport Mode
SPI
Padding PadLength NextHdr
Seq# Keyed HashInitVector
22-36 bytes total
IP Head Head dataTCPUDP
IP Head Head dataTCPUDPESP Head ESP AuthESP Trail
Integrity Hash CoverageEncryption Coverage
ESP Tunnel Mode
IP Head Head dataTCPUDP
IP Head Head dataTCPUDPESP Head ESP AuthESP Trail
Integrity Digest CoverageEncryption Coverage
IP Head
SPI
Padding PadLength NextHdr
Seq# Keyed HashInitVector
22-36 bytes total
IKE - Internet Key Exchange
Establishes security context between peers
Three primary tasks of IKE: negotiate policy Diffie-Hellman key exchange authenticate the peers
Rides atop UDP (port 500)
IKE - Internet Key Exchange
Secure against denial of service (simple attacks) man-in-the-middle session hijacking replay
Optional perfect forward secrecy identity protection
Two Phases Phase 1: Main or Aggressive Mode Phase 2: Quick Mode
How IKE Works
Phase 1: Establishes Security Context for secure IKE communication
Negotiates authentication method (shared secret, digital signature, …) encryption algorithm digest algorithm keying material key lifetime renewal period
Uses Diffie-Hellman to exchange keying information Authenticates both peers
Main mode 3x2 messages provides identity protection
Aggressive mode 2x2 messages
Multiple Proposals One Proposal
Initiator Responder
DH key, nonce DH key, nonce
ID, [cert], sig ID, [cert], sig
IKE Phase 1 – Main Mode
Proposals, DH key, nonce, ID One Proposal, key, nonce, ID, [cert], sig
Initiator Responder
[cert], sig
IKE Phase 1 – Aggressive Mode
How IKE Works...
Phase 2: Quick Mode establishes one or more Security Contexts for
other protocols (IPSec’s ESP & AH) negotiates algorithms and other parameters
communicates securely under the Security Context established under phase 1
optionally supports Perfect Forward Secrecy
IKE Phase 2
Multiple Proposals, nonce [, ID, DH key ] One Proposal, nonce, [, ID, DH key ]
Initiator Responder
acknowledgement
IPSec Cryptographic Algorithms
Data Integrity HMAC
MD5 RIPEMD SHA-1 SHA-2*
AES-MAC*
Encryption DES 3-DES RC5 Blowfish IDEA Rijndael (AES)*
Key Agreement Diffie-Hellman
Integers mod p 786 1024 1536
elliptic curve (over GF[P] and GF[2n]) GF[2155], GF[2185] GF[2163]x2 and GF[2283]x2
Authentication RSA DSA
* In progress…
The NAT issue…
As mentioned, NAT/PAT uses ports to map internal IP addresses to ports, but…
IPSec packets have no ports since layer 4 portion in encapsulated and encrypted
So, one option is to simply stick a dummy UDP header to give the NAT device something to play with…
More IPSec-related IETF Standards Work...
Problem: scaling client deployment dynamic configuration
Dynamic remote management IKE Configuration Private Address Request (PAR) resource location (CA, X.500, DNS, WINS) like a VPN DHCP
Not an RFC
IKE Config
RAS<53.72.0.0>
InternetInternet
POPDial-in Client
Head Office
10.1.2.6
<10.1.0.0>
VPN Gateway 27.72.8.4
53.72.8.4DNS
IKE Exchanges: Main or Aggressive mode
IKE [CONFIG]: request
IKE [CONFIG]: <IP:10.7.1.1>, <DNS: 10.1.2.6>, ...
IKE Config
mail_srv2
10.7.1.1
SNMP monitoring IPSec VPN MIB - real time tunnel & usage errors, traps
VPN policy ipsp BBN Policy - SPS, SPSL dependent on Policy Framework policy distribution & discovery VPN topology
More IPSec-related IETF work…
More IPSec-related IETF work…
IPComp problem: IPsec kills any chance of lower-layer compression
solution: add it back in at layer 3 LZW DEFLATE
ipsra discussed later in authentication…
Interoperability:
“how real is all this?”
Interoperability Tests
Originally spearheaded by ANX
ICSA was handed responsibility
VPNC also runs tests
Testing Internet bake-offs
Interoperability Tests
Very successful!
Interoperability failures imply: implementation errors
vendors fix
ambiguity in the standards fed-back to authors and improved
100s of participants
What is tested
Just about anything
IPSec ESP / AH (many transforms) IKE (all modes) certificates
XAUTH, CONFIG, Hybrid, IPComp, …
Enrollment protocols
IPSec – is it a good protocol?
Yes and No
A lot of work went into making it secure
– but –
IKE very complex! hard to implement difficult to analyze modest performance penalty intimidating to implement
On the other hand very flexible very thorough in its treatment of security objectives widely adopted
Proposals for simpler IKE Son of IKE IKEv2 Just Fast Keying (JFK)
IKE
Establishes a security context between two peers
Problem is… who am I establishing with? how do I identify a packet’s origin? requires authentication
Authentication Systems
Biometrics
One-time password tokens
Shared Secret
Certificates
Public Key Infrastructures
Biometrics
Methods of using human physiology for identification / authentication
Examples: fingerprint retina and cornea hand-writing voice pattern
Biometrics – Cont’d
Great where there is locality building access local computer account access smart-cards
– but –
not so applicable over the network spoofing, etc.
One-Time Password Tokens
Time-based or challenge-response
Work very well to authenticate a user
- but -
No cryptographic tie to the session
Vulnerable to: session hijacking man-in-the-middle attacks
Shared Secret Authentication
Part of the IPSec standard
IKE exchange allows mutual authentication with a secret value
Tied cryptographically to the remainder of the session, so no session hijacking no man-in-the-middle attack
Shared Secret Authentication
Security concern if “secrets” are not chosen carefully
Scalability is main issue n-squared secrets in the general case maintenance and distribution not viable for large networks
Enter the
- Certificate -
Certificates
Digital IDs
Signed by a trusted authority (CA)
Digitally binds the ID to its public key
X.509 structure
ID:
Public Key:
Serial Number:
Expiry:
Issuer:
"John Smith"
RSA-512: 451f6c882..8b
2772-18811
January 1, 1998
2770-19199
CA Signature: DSA: 177f31cbe94..1f
Public Key Infrastructures (PKIs)
Certificate Authority (CA) signs user certificates (enrollment) creates revocation lists (CRLs)
Certificate servers X.500 DNS
Enrollment
Process by which a CA securely issues an authorized certificate to a target
End result is that: Target x has:
PrivX (usually held privately) CertX
CertCA (containing PubCA)
Repository has: CertX
Using a PKI When I receive a signed message, how do I
verify its origin?
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
X.500 X.500 DirectoryDirectory
CA
Alice Bob
Alice signs the document using her private key Alice signs the document using her private key PrivPrivAliceAlice, which only she knows…., which only she knows….
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
Signature
X.500 X.500 DirectoryDirectory
CA
Alice BobPrivAlice
Using a PKI
X.500 X.500 DirectoryDirectory
CA
Alice Bob
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
Signature
Using a PKI
11 Retrieve originator’s public key certificateRetrieve originator’s public key certificate
X.500 X.500 DirectoryDirectory
CA
Alice Bob
CertificateID: “Alice”Public Key: 3fe4c9e90d...Expiry: 1-jan-99Serial No: 188291-91
CA signature
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
Signature
Using a PKI
22 Validate cert using CA public keyValidate cert using CA public key
X.500 X.500 DirectoryDirectory
CA
Alice Bob
CertificateID: “Alice”Public Key: 3fe4c9e90d...Expiry: 1-jan-99Serial No: 188291-91
CA signature
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
Signature
Valid?Yes
No
PubCA
Using a PKI
33 Retrieve the latest CRLRetrieve the latest CRL
X.500 X.500 DirectoryDirectory
CA
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
SignatureAlice Bob
CRL12283-99119921-92219929-010
CA signature
CertificateID: “Alice”Public Key: 3fe4c9e90d...Expiry: 1-jan-99Serial No: 188291-91
CA signature
Using a PKI
44 Validate CRL using CA public keyValidate CRL using CA public key
X.500 X.500 DirectoryDirectory
CA
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
SignatureAlice Bob
CRL122839-91199219-22199290-10
CA signature
CertificateID: “Alice”Public Key: 3fe4c9e90d...Expiry: 1-jan-99Serial No: 188291-91
CA signature
Valid?Yes
No
PubCA
Using a PKI
55 Check CRL for matchCheck CRL for match
X.500 X.500 DirectoryDirectory
CA
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
SignatureAlice Bob
CRL122839-91199219-22199290-10
CA signature
CertificateID: “Alice”Public Key: 3fe4c9e90d...Expiry: 1-jan-99Serial No: 188291-91
CA signature
?
Using a PKI
66 Validate documentValidate document
X.500 X.500 DirectoryDirectory
CA
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
SignatureAlice Bob
CertificateID: “Alice”Public Key: 3fe4c9e90d...Expiry: 1-jan-99Serial No: 188291-91
CA signature
OValid?Yes
No
PubAlice
Using a PKI
X.500 X.500 DirectoryDirectory
CA
THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.
There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.
Alice Bob
Using a PKI
Alice sent this!
Certificates again…
Certificates have an owner, identified by a DN
Presumably, the reasons for an identity is to: enact some policy rules audit activity
But, in network security, who is the owner? operator? host? application?
Certificate Identities
SSL host authentication only certificates identify the domain makes sense
I care that I am talking to mycompany.com mycompany.com only cares that client can pay!
Email application-level and user-oriented mail server is store-and-forward
not involved in security typically certificates identify the person
Certificate Identities
But what of IPsec? layer 3, so host-machine oriented so, layer-3 identities make sense (like an IP address or domain)
works well for intranet VPNs
Intranet
Corporate LAN
Certificate Identities
However, IPsec is used for remote access too, and we may wish to restrict access according to the user’s identity
– so –
User-identified certificates make sense
– however –
Certificate Identities
Corporations are often resistant to deploying full PKI for all users expensive complex
– and –
They already have an investment in one-time password tokens (SecurID, etc.)
Identities
Ok, so why not just use OTPs with a fixed [public] shared-secret? Nope! Need some layer 3 authentication, otherwise hijack is possible
A number of schemes have been implemented: XAUTH, Hybrid, IPSRA layer 3 host certificate validation user OTP client validation
OK, I know who you are now, but...
should I talk to you? - Authorization
must create policy rules
example: create ACL based on certificate DNs but, how to scale?
Authorization (cont’d)
Work is ongoing in: policy framework working-group IPSec policy working group
IPSec policy working group SPSL, SPD distributed policy servers responsible for resolving local policy from gateways
Groups
idea… define groups and define access privileges accordingly
publish authorization objects in the infrastructure almost like a group membership card scales with the directory
Authentication / Authorization example...
X.500 X.500 DirectoryDirectory
CA
Alice Finance Server
PERMIT
Finance server access policy
Allow access if member of: Group = “Finance” or Group = “Managers”
Group CertificateID: “Alice”Groups: Engineering
ManagersExpiry: 1-Jan-99Serial No:188291-98
PM Signature
LAN
Policy Manager
Single Sign-on
Shines for client/application-server model
Authentication grants authorization ticket ticket is used to access
applications resources
user only needs to maintain one password
Examples: Kerberos Netscape
Who owns the key?
Similar to the authentication issue
For a user application, the answer is easy – the application does (or should)
But what about a server application?
What about Transport layer security?
What about Client VPN?? Multi-user???
VPN illustration
InternetPOP
InternetRemote Access
Intranet
Home officeHead office
Standards Landscape
IETF Standards
IPSec ESP / AH IKE SNMP MIB
IPComp LZS DEFLATE
IETF Standards
IPSRA Methods of issuing temporary certificates using
RADIUS, etc.
PKIX PKCS 7,10,12 CMP CMC SCEP
IPv6
Security mechanisms provided by IPSec all IPv6-complient stacks must support does not have to be enabled
Slow pickup one main intent was address space
NAT has alleviated this significantly huge IPv4 infrastructure
Secure Sockets Layer (SSL)
Originally designed by Netscape
Transaction-based
Ideal for Electronic Commerce (https)
One-way certificate authentication
Being standardized in the IETF as TLS
Can be compiled into application sitting at the transport layer
Secure HTTP
Originally designed by Enterprise Integration Technology (EIT)
Document-level security for HTTP
Dual-authenticated peers
RSA and symmetric security
Submitted to IETF, now RFC 2660
Secure Electronic Transactions (SET)
Master Card and Visa along with Netscape and Microsoft
Uses SSL and S-HTTP to establish a framework between the credit-card company, the merchant and the purchaser
All mutually authenticated
Secure Shell (SSH)
Unix-based command interface
Allows secure access to a remote computer security application listens in on specified ports
static port mapping table required ideal for certain applications: rlogin, rsh, rcp, ftp
SNMPv3
Simple Network Management Protocol
v3 = secure version of SNMP
Protection against: modification of information masquerading message stream modification disclosure
RADIUS and DIAMETER
Authentication and auditing
Password and permission database
RADIUS uses a shared secret to secure the password
DIAMETER mandates strong security on all parts of the transaction, but leaves mechanisms relatively open recommends IPSec
S/MIME and PGP/MIME
Application-level security for email
S/MIME originally from RSA now on IETF standards track
PGP/MIME from Pretty-Good Privacy (now Network Associates) uses PGP’s web-of-trust for encrypting and signing
emails
now PGP Corporation
Quick Comparison: SSH, SSL, IPsec
Protocol Advantages Disadvantages
IPSec
- secures all IP protocols
- invisible to application
- independent of transport
- very flexible
- complicated to implement
- auth not bound to application
- problems with NAT
- secures specific TCP protocols
- no need to modify application
- easy to deploySSH
SSL
- designed for TCP only
- not adaptive (must configure statically for each protocol)
- problems with NAT
- secures client / server applications
- widely accepted for Internet / Web
- application-level auth tied to user
- firewall and NAT friendly
- compile-time security add-on, so cannot be retrofitted to secure existing applications
- TCP-only
Other security areas worth exploring...
Software design practices Password management Random number generation OS stuff
file permissions roles / services
Quantum crypto Incident Response reporting (CERT, etc.)
Sources of security stuff
RSA www.rsasecurity.com
IETF www.ietf.cnri.reston.va.us
CERT www.cert.org
FreeS/WAN www.freeswan.org
TimeStep www.cid.alcatel.com/vpn
Entrust www.entrust.com
VeriSign www.verisign.com CACR www.cacr.math.uwaterloo.ca
Parting thoughts…
We have a few problems in protecting our network resources most do not appear to be related to cryptography, but rather, in its implementation
also, the highest profile attacks are on the Internet makes sense – open standards, open access! little accountability high impact high visibility
Parting thoughts…
Is this fixable? Yes! well… I think so. No silver bullet
Greatest short-term impact add standardized testing integrate the tools (they exist!)
IPSec, SSH, antivirus, firewall, … mandate security in certain key areas
Parting thoughts…
Longer term mandate third-party validation add accountability
encourage service providers to track access to users using strong mechanisms in cases of incident
continue security protocol and crypto research remembering that it’s not only about security but
usability no security if it’s too expensive to use!