Network Security Primer Brett Howard Security Research and Innovation Indocrypt 2002 Tutorial Hyderabad, India

Network Security Primer

Brett HowardSecurity Research and Innovation

Indocrypt 2002 Tutorial

Hyderabad, India

Networking concepts OSI and TCP/IP stacks IP basics routing

Security definition availability and penetration

denial of service hacking viruses/worms buffer overflows

information attacks confidentiality integrity authentication

versus the network stack

Agenda

VPNs intent need for security

IPSec standard overview IKE extensions

Authentication PKIs authentication example

Identities and Authorization Standards survey

SSL, SSH, RADIUS, SNMP, … Final thoughts…

Digital Networks

The Network

Layered – why? separates functions hides technology choices

emails or web traffic can be carried as easily by 48 kbit/s dial-up as by OC48

Application

Presentation

Session

Transport

Network

Link

Physical

Stacks Open System Interconnection (OSI)

ISO standard around 1978 7 layers

Transport Control Protocol / Internet Protocol (TCP/IP) ARPA circa 1974 4-5 layers

Network Stacks – OSI model

Application

Presentation

Session

Transport

Network

Link

Physical

OSI Model

Network Stacks – Physical layer

OSI Model

Transport

Presentation

Application

Network

Link

Physical

Session

The physical medium used to transmit the information

- physical properties

- mechanical properties

- electrical/optical properties

- functional transmission aspects

Network Stacks – Link layer

OSI Model

Transport

Presentation

Application

Network

Session

Physical

Link

Handles transmission of a framed set of data from one node in a network to another

- transmission protocol

Network Stacks – Network Layer

OSI Model

Transport

Presentation

Application

Link

Session

Physical

Network

Concerned with end-machine (host) to end-machine transmission

-non-reliable

-packet oriented

Network Stacks – Transport Layer

OSI Model

Presentation

Application

Network

Link

Session

Physical

Transport

End-to-end transmission of data blocks

- adds reliability

Network Stacks – Session layer

OSI Model

Transport

Presentation

Application

Network

Link

Physical

Session

Buffer and data-flow management

- QoS issues

Network Stacks – Presentation layer

OSI Model

Transport

Application

Network

Link

Session

Physical

Presentation

Translation message syntax for the application

-more like a set of interpretation libraries (file formats etc.)

Network Stacks – Application layer

OSI Model

Transport

Presentation

Network

Link

Session

Physical

ApplicationThe user of network services – final end applications such as file-transfer or mail

Network Stacks

Application

Presentation

Session

Transport

Network

Link

Physical

OSI Model

Application

Transport

Network

Link

Physical

TCP/IP Model

Network Stacks

web (http), email (smtp), telnet, ftp, …

TCP, UDP

IPv4

Ethernet, X.25 LAPB, T1/E1, OC48,…

Application

Transport

Network

Link

Physical

TCP/IP Model

twisted-pair, fiber, wireless, …

Physical/Link Layer

Application

Transport

Network

Link

Physical

TCP/IP Model Link Layer concerned with the transport of raw

data hop-by-hop

“bridge” level

coupled with physical, also referred to as Media Access (MAC)

can be in packets/frames/cells or just streams of bits

usually few guarantees of reliability

many technology choices depending on network regions

Link Layer – LAN

Priorities simple, cheap, relatively fast security deemed important since traditionally local

Examples Ethernet (10BaseT, 100BaseT, GigE, …) Token-Ring Wireless LAN

not really so local anymore more on this later…

Link Layer – Access Private leased-line

Time-Division Multiplexed 8000 frames/s

T1: 24 channels x 8 bits + 1 frame bit = 1.544 Mbits/s E1: 32 channels x 8 bits = 2 Mbits/s

T3 = 28 x T1 (43 Mbits/s) E3 = 16 x E1 (34 Mbits/s)

frame-relay ISDN

modem DSL Cable

Link Layer – Core

Optical Synchronous Optical Network (SONET)

Optical Carrier levels OCn at n x 51.84 Mbits/s OC3 = 155.52 Mbits/s (used as baseline for ATM)

Asynchronous Transfer Mode (ATM) small cells (53 bytes) fast “routing”

Passive Optical Network (PON) limited range but cheap fiber to the curb or home also ATM over PON (APON)

favoured by Telcos

Link Layer – Wireless

Used for Access and LAN

Access (Fixed Wireless) 802.16 LMDS (Local Multipoint Distribution System)

LAN 802.11x

a 54 MBits/s b 11 MBits/s g 22 MBits/s (compatible with b)

BlueTooth 1 MBits/s

Network Layer

Application

Transport

Link

Physical

TCP/IP Model Network Layer concerned with delivering data

from host-to-host (machine-to-machine)

connectionless

“router” level

may cross diverse Link layers

still lacks any notion of reliability

Internet Protocol (IPv4) for the sake of this presentation, but also

X.25’s PLP Novell IPX

Network

A quick look at the Internet Protocol v4

IP address (version 4) 32-bit number

format often in dotted decimal notation of 4 octets example: 12.5.122.188

three classes A: [1126].0.0.0 (224 hosts per subnet) B: [128191].x.0.0 (214 hosts each) C: [192223].x.y.0 (28 hosts each)

these can be further subdivided into subnets running out of addresses! (NAT)

domain name represents an address Domain Name Server (DNS) allow address lookup for example: this conference www.isical.ac.in/~indocrypt

202.54.54.145

Transport Layer

Application

Link

Physical

TCP/IP Model Transport Layer concerned transport of data from

application to application

“gateway” level

for the sake of this presentation, two options:

UDP: connectionless / unreliable TCP: connection / reliable

typically applications are tagged using ports

Network

Transport

TCP / UDP Goals

TCP and UDP multiplexing among programs

TCP data segmented into datagrams for IP

up to 64 000 octets (bytes) each reliable transport

checksum all data [eventually] is received correctly sequencing and ordering intelligent windowing using sequence numbers

handshake

Transport Control Protocol

Three-message handshake for initiation

[SYN SeqNo=X]

[ACK Y+1]

[SYN SeqNo=Y | ACK=X+1]

Initiator Responder

X and Y are chosen randomly

or at least, they are supposed to be… oops!

half-open connection

open connection

TCP / UDP Ports

Allows multiplexing of users and applications from a single host

Some pre-defined destination ports FTP 21 and 20 telnet 23 SMTP 25 http 80 POP3 110

Source ports can be created on the fly

Application Layer

Link

Physical

TCP/IP Model Application Layer network resource user

handles some of the functions associated with OSI’s Session and Presentation layers

email: SMTP

Web: httpNetwork

Transport

Application

TCP / IP Basics - interconnect

Hubs a hub (concentrator) connects a number of network cables to a Network. network connections on a hub share a single “collision domain”.

Bridges a bridge divides a LAN into layer-2 segments and typically learns topology

Switches a switch is similar to a hub, except it adds intelligence and a high-

performance backplane to allow multiple connections to appear as dedicated (and so, do not share a collision domain

Routers

Connectivity and forwarding at the IP level

When a packet is destined to a host which is not on the local subnet, then it is forwarded by the appropriate router

hop-by-hop IP source and destination addresses stay constant layer-2 addresses change

Maintain routing tables routers inter-communicate and share routing info using routing

protocols OSPF, RIP, BGP, EGP, …

Network Address Translation

Motivation as mentioned, we are running out of addresses adds an element of security by obscuring internal network

Can be one-to-one one-to-many (Port Address Translation)

Port Address Translation

all internal addresses are mapped to a single external address internal addresses may be from a pool of non-registered

IP addresses (10.0.0.0 or 192.168.0.0 for example)

TCP connections are initiated internally

for the first outbound packet a new random source port is invented the source address is replaced by external address the correspondence is maintained for return packets

201.7.2.34

21.87.9.2

10.17.8.4

PAT Example

PATG/W

server

Src:

Dst:

IP

10.17.8.4

201.7.2.34

Port

8771

80

Corporate LAN: 10.0.0.0

Src:

Dst:

IP

21.87.9.2

201.7.2.34

Port

9231

80

9231 = 10.17.8.4/ 8771

201.7.2.34

21.87.9.2

10.17.8.4

PAT Example

PATG/W

server

Corporate LAN: 10.0.0.0

Src:

Dst:

IP

201.7.2.34

21.87.9.2

Port

80

9231

9231 = 10.17.8.4/ 8771

Src:

Dst:

IP

201.7.2.34

10.17.8.4

Port

80

8771

Network Security

Network Security

What do we mean?

“Broadly speaking, security is keeping anyone from doing things you do not want them to do to, with, or from your

computers or any peripherals”

-William R. Cheswick

Network Security

Protection of resources from network-based attacks data as it traverses the network

Network Security

Protection of resources from network-based attacks

hacking trojans worms / virsuses DoS

data as it traverses the network

Resource Attacks

Resource Attacks - DoS

Flood Simple Flood

UDP or ICMP

Smurf An attacker sends forged ICMP echo packets to broadcast

addresses of vulnerable networks. All the systems on these networks reply to the victim with ICMP echo replies.

Syn Flood IP stacks are often implemented with large numbers of possible

connections, but small number of half-open connections; flooding with enough TCP SYNs (but no FINs) can make a stack unusable.

Resource Attacks – DoS

Distributed DoS (DDOS) more sophisticated forms of flooding attack control Zombies to flood victims

Examples Trinoo Tribe Flood Network Stacheldraht (barbed wire)

Resource Attacks – DoS

Logic General class of attacks which take advantage of known logic/code

errors – ie. implementations

Studies have shown > 1 bug / KLoC Win2K has 40 MLoC which maps to > 30 Kbugs! other OSs don’t fair much better

Several classes and corresponding exploits bounds checking

Buffer Overflow data overwrite in extreme cases, attacker can place rogue code which is executed and

take over the machine or leave a permanent Trojan input sanity checking general bugs

Bounds Checking examples

Ping of Death huge ICMP echo requests

Teardrop fragments that cannot be re-assembled properly

Land same source and destination IP confuses some implementations to the point of crashing

Resource Attacks - parsing

Microsoft Internet Information Server (IIS) "../.." attack first in 1996 %2f ('/ ') attack first 1997 %2w (invalid hex code, interpreted as %2f) in 1999 %c1% 1c (unicode for '/ ') in 2000 %252f ('%'2f) in 2001

mycompany.com web server

www.mycompany.com

Resource Attacks - Protocol

Any class of attacks that exploit weaknesses in a networking protocol

Example (TCP weakness) Blind Spoofing (or Sequence Number) Attack

if an attacker can predict sequence number (insight into pseudo-RNG) then a blind packet with spoofed IP source can be damaging

Mitnick allegedly used against Shimomura also points to an authentication problem…

Worms and Viruses

Viruses depend on a host program, worms do not viruses are spread by a host worms can gnaw through a network independently

Examples: Mass Mailer

Melissa AnnaKournikova ILoveYou

Code Red IIS buffer overflow allows trojan horse worm spreads by finding other victims (somewhat randomly)

NIMDA piggy-backed on Code Red’s victims! plus mass-mailer techniques (two varieties) plus search for open shares

Resource attack protection

Firewalls

IDS

Anti-virus

better code!

better testing!

third-party validation

Third-Party Validations

Industry

Standards Orange Book FIPS 140 Common Criteria

Validation Standards – Orange Book

Originally conceived for Operating Systems

Levels A1 - proven security B3 - minimized TCB

Wang DTS B2 - structured security B1 - mandatory access control

trusted AIX, Zos, Solaris, Irix, Linux C2 - discretionary access control

AIX, Win2K, Linux C1 - no real security

Win9x, others D

user manual?

Now replaced by the Common Criteria

Validation Standards – FIPS 140

US National Institute of Standards and Technology

Designed for security modules

DataInputs

DataOutputs

StateMachine

FIPSCrypto

Self Test

Key Storage

ActiveZeroize

OperatorInterface

Validation Standards – FIPS 140

Cryptographic module design, Module interface, Roles and services, Finite state machine model, Physical security, Software security, Operating system security, Cryptographic key management, Cryptographic algorithms, EMI / EMC, Self Tests

A profile is created for each area with a rating 1-4 on each overall rating is the minimum

Validation Standards – Common Criteria

Large international consortium

Basically shows that a product is designed to meet whatever security profile you choose

Overall Evaluation Assurance Level EAL 1..7 can be very expensive, especially for the higher levels

Network Security

Protection of resources from network-based attacks

hacking trojans worms / virsuses DoS

data as it traverses the network

Data Security Concepts Overview

Information Security

Confidentiality / Encryption

Integrity / Message Digests

Authentication / Digital Signatures

Confidentiality

Keeping data secret from all except the intended viewers

Traditional Encryption systems: DES, 3-DES, IDEA, FEAL, CAST, RC5, AES

“Symmetric” ciphers same key used to encrypt and decrypt

Secret Key Encryption - Symmetric Key

Same key encrypts as decrypts

Examples: DES, 3-DES, RC5, IDEA, CAST

DESKey

Data In

Data OutEnc

DESKey

Data In

Data OutDec

Issue: Keys have to be the same

Key Management

=

DESKey

Data In

Data OutEnc

DESKey

Data In

Data OutDec

Secret Key Encryption - Symmetric Key

Integrity

Keeping information intact and free from modification

Message Digesting systems: MD2, MD4, MD5, SHA-1, RIPEM

Allows detection of modification behaving like a strong cryptographic CRC

crypto checksumcrypto checksum examples: MDexamples: MDxx, SHA-1, RIPEM, SHA-1, RIPEM

Message Digests (Integrity)Message Digests (Integrity)

MD5

Message

Digest

MD5

Digest

Message

=?

how do we send the digest reliably?how do we send the digest reliably? keyed hashing (ex: Krawczyk’s HMAC)keyed hashing (ex: Krawczyk’s HMAC) sign the digest sign the digest

Or

Authentication

Verifies the origin of information

Digital Signature systems: examples:

RSA DSA

Use “asymmetric” keying systems private key signs public key verifies

Sign and Verify

DSAsign

Message or File

Private Key

Signature

DSAsign

Message or File

Private Key

Signature

DSAverify

Message or File

Public Key

Signature

Sign and Verify

DSAverify

Message or File

Public Key

Signature

GoodGood

BadBad

Sign and Verify

Alice Bob

=

KeyAgreement

I

KeyAgreement

I

KeyAgreement

II

KeyAgreement

II

Session Key

Session Key

Key Agreement

Network Stacks – security?

Application

Transport

Network

Link

Physical

TCP/IP Model

But where to put

security?}

Security at the Physical Layer

Application

Transport

Network

TCP/IP Model Physical Layer? some regard certain technology

choices as inherently secure optical fiber spread-spectrum

claims are questionable

benefits are also questionable since we usually are looking at security end-to-end

few real examples of a secure physical layer

maybe quantum crypto?

Link

Physical

Security at the Link Layer

Application

Transport

Network

TCP/IP Model Link Layer

Physical

Link

many examples exist

less useful for similar reasons as physical layer: not end-to-end

examples: T1/E1 link encryptors modem encryptors frame relay link encryptors ATM encryption 802.11x

Wired Equivalent Privacy (WEP)

802.11x Wired Equivalency Protocol

Interesting (infamous) example

Good idea add security back to the air link

Good technology 64-156 bit RC4 encryption

Bad implementation integrity via encrypted CRC from stream cipher re-use of IVs authentication uses encrypted challenge

challenge in the clear encrypted using XOR! we no longer need shared secret, we have the pseudo-random stream

Security at the Network Layer

Application

Transport

Link

Physical

TCP/IP Model Network Layer very good choice for many applications

independent of transport invisible to the application host-to-host VPNs more on this later…

drawbacks no link to application no link to user more on this later too!

examples IPsec

Network

Security at the Transport Layer

Application

Link

Physical

TCP/IP Model Transport Layer also good choice

end-to-end independent of transport [can be] invisible to the application

drawbacks where do we link it?

UDP? TCP? if both, then why not Network Layer?

examples SSL/TLS

well, sort of… Kyberpass

Network

Transport

Security at the Application Layer

Link

Physical

TCP/IP Model Application Layer good choice for peer-to-peer

strongest binding to the operator

drawbacks different solution for each application

examples S/MIME PGP (and PGP/MIME) https

Network

Transport

Application

Internet and VPNs

What is a VPN?

Solutions for interconnectiong regionally dispersed networks via public networks

Main elements: tunneling security (SVPN)

Connections through Internet are “virtually private” and appear as transparent as a router

Internet

Secure

Unsecure

InternetPOP

InternetRemote Access

Low-cost, worldwide access for mobile users and telecommuters via ISPs

Intranet

Flexible, low-cost virtual leased line branch office connectivity

Extranet

Multiple company commerce for customers, suppliers, and partners

Corporate LAN

Secure VPN Solution Overview

Internet

One worldwide global network

One worldwide internetworking communications standard: IP

High reliability

Issues: legacy systems QoS security

IETF: IPSec

IPSec Standards

Internet Engineering Task Force (IETF) Working Group

Offers protocols for: IP security tunneling

IPSec Standards

IP network layer security services covers three main elements:

encryption and integrity of data ESP/AH

negotiate keys and security mechanism IKE (formerly ISAKMP/Oakley)

tunnel private addresses over public networks

unsecuredunsecurednetworknetwork

applications

TCP / UDP

IP

Ethernet / PPP

IPSec

IP

applications

TCP / UDP

IP

Ethernet / PPP

IPSec

IP

1IKE (formerly ISAKMP/Oakley)

2

ESP/AH

3

4

IPSec In Action

ESP/AH

Authentication Header (AH) rfc 2402 protocol 51 data integrity including IP headers

HMAC-MD5, HMAC-SHA-1, ... replay protection via sequence number

Encapsulating Security Payload (ESP) rfc 2406 protocol 50 data confidentiality

DES, 3DES, RC5, CAST, Blowfish, IDEA data integrity

encrypt then perform MD

ESP/AH: Tunneling versus Transport

Transport encrypt packets and leave header (mostly) intact useful for

LAN security another tunneling protocol (L2TP for example)

Tunneling encrypt entire IP packet and encapsulate larger packet (two IP headers) ideal for VPNs

Tunneling in action

Dial-in Client

Data Centre

R & D

Router

10.7.1.1

RAS

10.1.2.6

<10.1.0.0>

<10.3.0.0>

<10.7.0.0>

10.7.1.1 10.1.2.6 payloadIP

PPP

Tunneling in actionR & D

RAS

<10.3.0.0>

<53.72.0.0>

InternetInternet

POP

10.7.1.1 10.1.2.6 payloadIP

Dial-in Client

10.7.1.1

Data Centre

10.1.2.6

<10.1.0.0>

53.72.8.4 27.8.6.9IP IPSec

VPN Gateway 27.14.1.22


53.72.8.4

Security Associations

Defines the security relationship

A set of policies and keys used to protect information

SA is uniquely identified by Security Parameter Index (SPI) and Destination IP Address

Security Association Parameters:

AH authentication algorithm and keys

ESP encryption algorithms, mode and keys

IV field attributes (presence/absence, size)

Key lifetime

SA lifetime

AH Transport Mode

Next HdrNext Hdr Payload LenPayload Len RsrvRsrv SPISPI Keyed HashKeyed Hash

minus mutable fields in IP: TOS, flags, fragment #, TTL, checksum

Seq#Seq#

24 bytes total

IP Head Head data

IP Head AH Head Head data

Integrity Hash Coverage

TCPUDP

TCPUDP

AH Tunnel Mode

24 bytes total

IP Head Head data

IP Head dataIP Head AH Head

Next HdrNext Hdr Payload LenPayload Len RsrvRsrv SPISPI Keyed HashKeyed HashSeq#Seq#

TCPUDP

HeadTCPUDP

minus mutable fields in IP: TOS, flags, fragment #, TTL, checksumIntegrity Hash Coverage

ESP Transport Mode

SPI

Padding PadLength NextHdr

Seq# Keyed HashInitVector

22-36 bytes total

IP Head Head dataTCPUDP

IP Head Head dataTCPUDPESP Head ESP AuthESP Trail

Integrity Hash CoverageEncryption Coverage

ESP Tunnel Mode

IP Head Head dataTCPUDP

IP Head Head dataTCPUDPESP Head ESP AuthESP Trail

Integrity Digest CoverageEncryption Coverage

IP Head

SPI

Padding PadLength NextHdr

Seq# Keyed HashInitVector

22-36 bytes total

IKE - Internet Key Exchange

Establishes security context between peers

Three primary tasks of IKE: negotiate policy Diffie-Hellman key exchange authenticate the peers

Rides atop UDP (port 500)

IKE - Internet Key Exchange

Secure against denial of service (simple attacks) man-in-the-middle session hijacking replay

Optional perfect forward secrecy identity protection

Two Phases Phase 1: Main or Aggressive Mode Phase 2: Quick Mode

How IKE Works

Phase 1: Establishes Security Context for secure IKE communication

Negotiates authentication method (shared secret, digital signature, …) encryption algorithm digest algorithm keying material key lifetime renewal period

Uses Diffie-Hellman to exchange keying information Authenticates both peers

Main mode 3x2 messages provides identity protection

Aggressive mode 2x2 messages

Multiple Proposals One Proposal

Initiator Responder

DH key, nonce DH key, nonce

ID, [cert], sig ID, [cert], sig

IKE Phase 1 – Main Mode

Proposals, DH key, nonce, ID One Proposal, key, nonce, ID, [cert], sig

Initiator Responder

[cert], sig

IKE Phase 1 – Aggressive Mode

How IKE Works...

Phase 2: Quick Mode establishes one or more Security Contexts for

other protocols (IPSec’s ESP & AH) negotiates algorithms and other parameters

communicates securely under the Security Context established under phase 1

optionally supports Perfect Forward Secrecy

IKE Phase 2

Multiple Proposals, nonce [, ID, DH key ] One Proposal, nonce, [, ID, DH key ]

Initiator Responder

acknowledgement

IPSec Cryptographic Algorithms

Data Integrity HMAC

MD5 RIPEMD SHA-1 SHA-2*

AES-MAC*

Encryption DES 3-DES RC5 Blowfish IDEA Rijndael (AES)*

Key Agreement Diffie-Hellman

Integers mod p 786 1024 1536

elliptic curve (over GF[P] and GF[2n]) GF[2155], GF[2185] GF[2163]x2 and GF[2283]x2

Authentication RSA DSA

* In progress…

The NAT issue…

As mentioned, NAT/PAT uses ports to map internal IP addresses to ports, but…

IPSec packets have no ports since layer 4 portion in encapsulated and encrypted

So, one option is to simply stick a dummy UDP header to give the NAT device something to play with…

More IPSec-related IETF Standards Work...

Problem: scaling client deployment dynamic configuration

Dynamic remote management IKE Configuration Private Address Request (PAR) resource location (CA, X.500, DNS, WINS) like a VPN DHCP

Not an RFC

IKE Config

RAS<53.72.0.0>

InternetInternet

POPDial-in Client

Head Office

10.1.2.6

<10.1.0.0>


53.72.8.4DNS

IKE Exchanges: Main or Aggressive mode

IKE [CONFIG]: request

IKE [CONFIG]: <IP:10.7.1.1>, <DNS: 10.1.2.6>, ...

IKE Config

mail_srv2

10.7.1.1

SNMP monitoring IPSec VPN MIB - real time tunnel & usage errors, traps

VPN policy ipsp BBN Policy - SPS, SPSL dependent on Policy Framework policy distribution & discovery VPN topology

More IPSec-related IETF work…

More IPSec-related IETF work…

IPComp problem: IPsec kills any chance of lower-layer compression

solution: add it back in at layer 3 LZW DEFLATE

ipsra discussed later in authentication…

Interoperability:

“how real is all this?”

Interoperability Tests

Originally spearheaded by ANX

ICSA was handed responsibility

VPNC also runs tests

Testing Internet bake-offs

Interoperability Tests

Very successful!

Interoperability failures imply: implementation errors

vendors fix

ambiguity in the standards fed-back to authors and improved

100s of participants

What is tested

Just about anything

IPSec ESP / AH (many transforms) IKE (all modes) certificates

XAUTH, CONFIG, Hybrid, IPComp, …

Enrollment protocols

IPSec – is it a good protocol?

Yes and No

A lot of work went into making it secure

– but –

IKE very complex! hard to implement difficult to analyze modest performance penalty intimidating to implement

On the other hand very flexible very thorough in its treatment of security objectives widely adopted

Proposals for simpler IKE Son of IKE IKEv2 Just Fast Keying (JFK)

IKE

Establishes a security context between two peers

Problem is… who am I establishing with? how do I identify a packet’s origin? requires authentication

Authentication Systems

Biometrics

One-time password tokens

Shared Secret

Certificates

Public Key Infrastructures

Biometrics

Methods of using human physiology for identification / authentication

Examples: fingerprint retina and cornea hand-writing voice pattern

Biometrics – Cont’d

Great where there is locality building access local computer account access smart-cards

– but –

not so applicable over the network spoofing, etc.

One-Time Password Tokens

Time-based or challenge-response

Work very well to authenticate a user

- but -

No cryptographic tie to the session

Vulnerable to: session hijacking man-in-the-middle attacks

Shared Secret Authentication

Part of the IPSec standard

IKE exchange allows mutual authentication with a secret value

Tied cryptographically to the remainder of the session, so no session hijacking no man-in-the-middle attack

Shared Secret Authentication

Security concern if “secrets” are not chosen carefully

Scalability is main issue n-squared secrets in the general case maintenance and distribution not viable for large networks

Enter the

- Certificate -

Certificates

Digital IDs

Signed by a trusted authority (CA)

Digitally binds the ID to its public key

X.509 structure

ID:

Public Key:

Serial Number:

Expiry:

Issuer:

"John Smith"

RSA-512: 451f6c882..8b

2772-18811

January 1, 1998

2770-19199

CA Signature: DSA: 177f31cbe94..1f

Public Key Infrastructures (PKIs)

Certificate Authority (CA) signs user certificates (enrollment) creates revocation lists (CRLs)

Certificate servers X.500 DNS

Enrollment

Process by which a CA securely issues an authorized certificate to a target

End result is that: Target x has:

PrivX (usually held privately) CertX

CertCA (containing PubCA)

Repository has: CertX

Using a PKI When I receive a signed message, how do I

verify its origin?

THE PHILOSOPHER'S SONGImmanuel Kant was a real pissantwho was very rarely stable.Heidegger, Heidegger was a boozy beggarwho could think you under the table.David Hume could out consumeWilhelm Friedrich Hegel.And Wittgenstein was a beery swinewho was just as sloshed as Schlegel.

There's nothing Nietzsche couldn't teach ya‘bout the raising of the wrist.Socrates himself was permanently pissed.

X.500 X.500 DirectoryDirectory

CA

Alice Bob

Alice signs the document using her private key Alice signs the document using her private key PrivPrivAliceAlice, which only she knows…., which only she knows….



Signature


CA

Alice BobPrivAlice

Using a PKI


CA

Alice Bob



Signature

Using a PKI

11 Retrieve originator’s public key certificateRetrieve originator’s public key certificate


CA

Alice Bob

CertificateID: “Alice”Public Key: 3fe4c9e90d...Expiry: 1-jan-99Serial No: 188291-91

CA signature



Signature

Using a PKI

22 Validate cert using CA public keyValidate cert using CA public key


CA

Alice Bob


CA signature



Signature

Valid?Yes

No

PubCA

Using a PKI

33 Retrieve the latest CRLRetrieve the latest CRL


CA



SignatureAlice Bob

CRL12283-99119921-92219929-010

CA signature


CA signature

Using a PKI

44 Validate CRL using CA public keyValidate CRL using CA public key


CA



SignatureAlice Bob

CRL122839-91199219-22199290-10

CA signature


CA signature

Valid?Yes

No

PubCA

Using a PKI

55 Check CRL for matchCheck CRL for match


CA



SignatureAlice Bob

CRL122839-91199219-22199290-10

CA signature


CA signature

?

Using a PKI

66 Validate documentValidate document


CA



SignatureAlice Bob


CA signature

OValid?Yes

No

PubAlice

Using a PKI


CA



Alice Bob

Using a PKI

Alice sent this!

Certificates again…

Certificates have an owner, identified by a DN

Presumably, the reasons for an identity is to: enact some policy rules audit activity

But, in network security, who is the owner? operator? host? application?

Certificate Identities

SSL host authentication only certificates identify the domain makes sense

I care that I am talking to mycompany.com mycompany.com only cares that client can pay!

Email application-level and user-oriented mail server is store-and-forward

not involved in security typically certificates identify the person


But what of IPsec? layer 3, so host-machine oriented so, layer-3 identities make sense (like an IP address or domain)

works well for intranet VPNs

Intranet

Corporate LAN


However, IPsec is used for remote access too, and we may wish to restrict access according to the user’s identity

– so –

User-identified certificates make sense

– however –


Corporations are often resistant to deploying full PKI for all users expensive complex

– and –

They already have an investment in one-time password tokens (SecurID, etc.)

Identities

Ok, so why not just use OTPs with a fixed [public] shared-secret? Nope! Need some layer 3 authentication, otherwise hijack is possible

A number of schemes have been implemented: XAUTH, Hybrid, IPSRA layer 3 host certificate validation user OTP client validation

OK, I know who you are now, but...

should I talk to you? - Authorization

must create policy rules

example: create ACL based on certificate DNs but, how to scale?

Authorization (cont’d)

Work is ongoing in: policy framework working-group IPSec policy working group

IPSec policy working group SPSL, SPD distributed policy servers responsible for resolving local policy from gateways

Groups

idea… define groups and define access privileges accordingly

publish authorization objects in the infrastructure almost like a group membership card scales with the directory

Authentication / Authorization example...


CA

Alice Finance Server

PERMIT

Finance server access policy

Allow access if member of: Group = “Finance” or Group = “Managers”

Group CertificateID: “Alice”Groups: Engineering

ManagersExpiry: 1-Jan-99Serial No:188291-98

PM Signature

LAN

Policy Manager

Single Sign-on

Shines for client/application-server model

Authentication grants authorization ticket ticket is used to access

applications resources

user only needs to maintain one password

Examples: Kerberos Netscape

Who owns the key?

Similar to the authentication issue

For a user application, the answer is easy – the application does (or should)

But what about a server application?

What about Transport layer security?

What about Client VPN?? Multi-user???

VPN illustration

InternetPOP

InternetRemote Access

Intranet

Home officeHead office

Standards Landscape

IETF Standards

IPSec ESP / AH IKE SNMP MIB

IPComp LZS DEFLATE

IETF Standards

IPSRA Methods of issuing temporary certificates using

RADIUS, etc.

PKIX PKCS 7,10,12 CMP CMC SCEP

IPv6

Security mechanisms provided by IPSec all IPv6-complient stacks must support does not have to be enabled

Slow pickup one main intent was address space

NAT has alleviated this significantly huge IPv4 infrastructure

Secure Sockets Layer (SSL)

Originally designed by Netscape

Transaction-based

Ideal for Electronic Commerce (https)

One-way certificate authentication

Being standardized in the IETF as TLS

Can be compiled into application sitting at the transport layer

Secure HTTP

Originally designed by Enterprise Integration Technology (EIT)

Document-level security for HTTP

Dual-authenticated peers

RSA and symmetric security

Submitted to IETF, now RFC 2660

Secure Electronic Transactions (SET)

Master Card and Visa along with Netscape and Microsoft

Uses SSL and S-HTTP to establish a framework between the credit-card company, the merchant and the purchaser

All mutually authenticated

Secure Shell (SSH)

Unix-based command interface

Allows secure access to a remote computer security application listens in on specified ports

static port mapping table required ideal for certain applications: rlogin, rsh, rcp, ftp

SNMPv3

Simple Network Management Protocol

v3 = secure version of SNMP

Protection against: modification of information masquerading message stream modification disclosure

RADIUS and DIAMETER

Authentication and auditing

Password and permission database

RADIUS uses a shared secret to secure the password

DIAMETER mandates strong security on all parts of the transaction, but leaves mechanisms relatively open recommends IPSec

S/MIME and PGP/MIME

Application-level security for email

S/MIME originally from RSA now on IETF standards track

PGP/MIME from Pretty-Good Privacy (now Network Associates) uses PGP’s web-of-trust for encrypting and signing

emails

now PGP Corporation

Quick Comparison: SSH, SSL, IPsec

Protocol Advantages Disadvantages

IPSec

- secures all IP protocols

- invisible to application

- independent of transport

- very flexible

- complicated to implement

- auth not bound to application

- problems with NAT

- secures specific TCP protocols

- no need to modify application

- easy to deploySSH

SSL

- designed for TCP only

- not adaptive (must configure statically for each protocol)

- problems with NAT

- secures client / server applications

- widely accepted for Internet / Web

- application-level auth tied to user

- firewall and NAT friendly

- compile-time security add-on, so cannot be retrofitted to secure existing applications

- TCP-only

Other security areas worth exploring...

Software design practices Password management Random number generation OS stuff

file permissions roles / services

Quantum crypto Incident Response reporting (CERT, etc.)

Sources of security stuff

RSA www.rsasecurity.com

IETF www.ietf.cnri.reston.va.us

CERT www.cert.org

FreeS/WAN www.freeswan.org

TimeStep www.cid.alcatel.com/vpn

Entrust www.entrust.com

VeriSign www.verisign.com CACR www.cacr.math.uwaterloo.ca

http://www.rsasecurity.com/

http://www.ietf.cnri.reston.va.us/

http://www.cert.org/

http://www.freeswan.org/

http://www.cid.alcatel.com/vpn

http://www.entrust.com/

http://www.verisign.com/

Parting thoughts…

We have a few problems in protecting our network resources most do not appear to be related to cryptography, but rather, in its implementation

also, the highest profile attacks are on the Internet makes sense – open standards, open access! little accountability high impact high visibility

Parting thoughts…

Is this fixable? Yes! well… I think so. No silver bullet

Greatest short-term impact add standardized testing integrate the tools (they exist!)

IPSec, SSH, antivirus, firewall, … mandate security in certain key areas

Parting thoughts…

Longer term mandate third-party validation add accountability

encourage service providers to track access to users using strong mechanisms in cases of incident

continue security protocol and crypto research remembering that it’s not only about security but

usability no security if it’s too expensive to use!

Brett [email protected]

Security Research and Innovation

Thank You!

Documents

Network Security Primer Brett Howard Security Research and Innovation Indocrypt 2002 Tutorial Hyderabad, India