Security Protocols in Networks
Dr. Moutasem Shafa’amry
Lecture 6
Syrian Virtual University
MWS/MWTAWS-WIS Course2013-2014
2
Course outlines
• االنترنت – استخدام أخالقيات
بها المتعلقة والقوانينالمعلومات – أمن في مقدمة
ومصطلحات • مفاهيمالمتناظرة • وغير المتناظرة التعمية
Cryptographyالرقمي • Digital Signatureالتوقيعالرقمية • Digital Certificateالشهادات
الحاسوبية الشبكات ابروتوكوالتبروتوكوالت – في األمنية لمشاكل
HTTP, SMTP FTPاالنترنت: الحماية – ,SSL, TLSبرتوكوالت
HTTPS, PGP في واستخداماتهاالوب تطبيقات
–: الوب على الهجوم أنواع•Cross-Site Request Forgery (CSRF)•SQL injection•etc
• Computers Ethics• Introduction to cryptography
– The need for crypto systems– Symmetric& Asymmetric– PKI & Digital Signature
• Computer network protocols• Computer Networks attacks• Security Protocols• Types of Web Applications Attacks• Detection and prevention• Security Standards• Security and Risk management• Practical Issues• Project
Security in Layers
Sec
uri
ty in
Lay
ers
4
Security LayersApplication E-Commerce
protocol/ https Application
E-Mail S/MIME, PGP E-mail
TCP/Higher-level net
protocols
SSL, TLS,SSH TCP/Higher-level net
protocolsKerberos
IP IPSEC IP
Data Link Hardware Link Data LinkEncryption
Physical Physical
Application E-Commerce protocol Application
E-MailS/MIME, PGP
Higher-level net protocols SSL, TLS,SSH
Higher-level net protocols
Kerberos
TCP/IP IPSEC TCP/IP
Data LinkHardware Link
Data Link
Encryption
Physical Physical
IPSec Protocol
IPS
EC
IPSec: IP Security
6
IPSec: IP Security
• An IETF standard– IPSec architecture and related standards published as refer
RFC 1825 thru RFC 1829• Addresses security issues arising from
– authentication and confidentiality– connecting a remote host to a server– Interconnecting two LANs using a public network
• Applications:– wide-area networking of branch offices using Internet– Interconnecting supplier/distributor extranets to enterprise
network– Telecommuting– E-commerce
• Implemented in clients, servers or in routers
7
IPSec: IP Security
• An IETF standard– IPSec architecture and related standards published as
refer RFC 1825 thru RFC 1829• Addresses security issues arising from
– authentication and confidentiality– connecting a remote host to a server– Interconnecting two LANs using a public network
• Applications:– wide-area networking of branch offices using Internet– Interconnecting supplier/distributor extranets to enterprise
network– Telecommuting– E-commerce
• Implemented in clients, servers or in routers
8
IPSec Scenario
Public Network
Enterprise LAN#1
Enterprise LAN#2
PC Server
Router Router
PC
PC
9
Modes in IPSec
• Transport Mode– The payload in an IP packet is secured
• E.g. TCP, UDP, ICMP headers, data
• Tunnel Mode– The complete IP packet
• including its header is secured
10
Transport Mode IPSec
Public Network
Enterprise LAN#1
Enterprise LAN#2
PC Server
Router Router
PC
PC
End-to-end authentication and/or encryption
End-to-end authentication and/or encryption
11
Tunnel Mode IPSec
Public Network
Enterprise LAN#1
Enterprise LAN#2
PC Server
Router Router
PC
PC
End-system to ROUTER authentication and/or encryption
Router-to-router authentication and/or encryption
12
Transport vs. Tunnel modes
Transport mode Tunnel Mode
AH: Authentication function
authenticates TCP/UDP/ICMP header and data
authenticates IP header and data
ESP: Encryption functionencrypts TCP/UDP/ICMP header and data
encrypts IP header and data
ESP with AH
encrypts and authenticates TCP/UDP/ICMP header and data
encrypts IP header and data authenticates
13
Security functions covered by IPSec
Authentication header (AH)
Encapsulating security payload (ESP), without AH
Encapsulating security payload, with AH
Access control Yes Yes Yes
Connection-less integrity Yes Yes
Data origin authentication Yes Yes
Rejection of replayed packets Yes Yes Yes
Confidentiality Yes Yes
(Limited) Flow Confidentiality Yes Yes
14
IPSec Tunnel mode
• Advantages:– Only routers need to implement IPSec functions– Implement VPN (Virtual private network)
Public Network
Enterprise LAN
Router Router
RouterRouterEnterprise LAN
Enterprise LAN
Enterprise LAN
15
IPSec: Authentication Header
• Original IP packet
• Encoded packet in “transport mode”?
• Encoded packet in “tunnel mode”?
Original IP hdr
TCP header
TCP data
Original IP hdr
TCP header
TCP dataAuthen. hdr
Original IP hdr
TCP header
TCP dataAuthen. hdr
NEW IP hdr
16
IPSec: packet format for AH
Reserved (16 bits)
Payload length
Next header
Identifier (32 bits)
Sequence number (32 bits)
AH (variable length, default 96 bits)
Based on: MD5, or SHA-1
Covers TCP/UDP/ICMP header, data and portions of “non-mutable” IP headers
Payload (IP or TCP packet)
Original/new IP header
17
IPSec: ESP (Encryption)
• Original IP packet
• Encoded packet in “transport mode”?
• Encoded packet in “tunnel mode”?
Original IP hdr
TCP header
TCP data
Original IP hdr
TCP header
TCP data
ESP hdr ESP trailer
AH (optional)
Original IP hdr
TCP header
TCP data
ESP hdrNEW IP hdr
ESP trailer
AH (optional)
18
IPSec: packet format for ESP
Identifier (32 bits)
Sequence number (32 bits)
Payload (TCP, or IP packet with padding, pad length, next header), suitably encrypted using 3DES, RC5 or …
Original/new IP header
Authentication Header based on MD5, etc.
encrypted
authenticated
Pad length, …
19
Combining security functions
• Authentication with confidentiality– ESP, with AH
• An AH inside a ESP (both in transport mode)
PC
Server
Public Network
Enterprise LAN
Router
Router
Enterprise LAN
20
Combining security functions
• An AH inside a ESP (both in transport mode), and all this within a ESP tunnel across the routers
PC
Server
Public Network
Enterprise LAN
Router
Router
Enterprise LAN
21
Key exchange
• Key generation and exchange using some “physical means”
• Automated generation of keys– Oakley key determination and exchange
• Based on Diffie-Hellman key generation algorithm• Oakley key exchanged protocol
22
Diffie-Hellman key generation
• A distributed key generation scheme• Given q - a large prime number
a – a primitive root of q
(1 <= ak mod q < q, and distinct for all 1 <= k < q)
• A:– picks XA (keeps it secret),– computes and sends YA aXA mod q to B
• B:– picks XB (keeps it secret),– computes and sends YB aXB mod q to A
• A and B compute the secret shared key aXA XB
YBXA or YAXB
23
Diffie-Hellman key generation
• Man-in-the-middle attack– Assumes ability to intercept, and spoof
A
E
BXA, A2B XE, A2B
XE, B2A XB, B2A
aXA*XE aXB*XE
24
Diffie-Hellman key generation
• Issues with the algorithm:– What is the value of q, a?
• Make available several sets, and let the parties negotiate
– Man-in-the-middle attack• Use some form of authentication
– Denial of service attack, arises from address-spoofing• Use cookies:
– Replay attacks• Use nonces
25
Cookies
• Cookies:A requests B’s attentionB responds with a “cookie” (a random number), KA must return K in its subsequent messages
• Characteristics of cookies:– Should depend upon data specific to B– Should use some secret information– Cookie generation and verification must be fast– B should not have to save the cookie
• Example method used:– Hash sender/receiver IP address TCP port nos. and a secret
value
26
Oakley Key exchange
27
Oakley Key exchange: part 1
• A to B– ID of A, ID of B– Initiator cookie, CK-A– Encryption, hash, authentication algorithms– Specific Diffie Hellman group (q, a)– public key yA = aXA mod q– Nonce NA
Signed KR(A)[ID of A, ID of B, NA, q, a, yA]
28
Oakley Key exchange: part 2
• B to A– ID of B, ID of A– Responder cookie, CK-B, Returned initiator cookie,
CK-A– Encryption, hash, authentication algorithms– Specific Diffie Hellman group (q, a)– public key yB = aXB mod q– Nonce NA, NB
SignedKR(B)[ID of B, ID of A, NA, NB, q, a, yB yA]
29
Oakley Key exchange: part 3
• A to B– ID of A, ID of B– Returned cookie, CK-B, initiator cookie, CK-A– Encryption, hash, authentication algorithms– Specific Diffie Hellman group (q, a)– public key yA = aXA mod q– Nonce NA, NB
Signed KR(A)[ID of A, ID of B, NA, NB, q, a, yB yA]
30
IPSEC Architecture
• Key management establishes a security association (SA) for a session– SA used to provide Authentication/confidentiality for that session– SA is referenced via a security parameter index (SPI) in each IP
datagram header
IPIP DATADATASPISPI
IPS
EC
31
AH
Authentication header — integrity protection only
• Inserted into IP datagram:
• Integrity check value (ICV) is 96-bit HMAC
DATAIP
AHIP DATA
IPv4
IPv4+IPSec
IPS
EC
32
AH (ctd)
• Authenticates entire datagram:• Mutable fields (time-to-live, IP checksums)
are zeroed before AH is added• Sequence numbers provide replay
protection– Receiver tracks packets within a 64-entry
sliding window
IPS
EC
33
ESP: Encapsulating security protocol
Encapsulating security protocol — authentication(optional) and confidentiality Inserted into IP datagram:• Contains sequence numbers and optional ICV as for AH• Secures data payload in datagram:
– Encryption protects payload– Authentication protects header and encryption
• SA bundling is possible– ESP without authentication inside AH– Authentication covers more fields this way than just
ESP with authentication
IPS
EC
34
IPSEC Algorithms
• DES in CBC mode for encryption• HMAC/MD5 and HMAC/SHA (truncated to 96 bits) for
authentication• Later versions added optional, DOI-dependent
algorithms– 3DES– Blowfish– CAST-128– IDEA– RC5– Triple IDEA (!!!)– AES
IPS
EC
35
Processing
• Use SPI to look up security association (SA)• Perform authentication check using SA• Perform decryption of authenticated data
using SA• Operates in two modes
– Transport mode (secure IP), protects payload– Tunneling mode (secure IP inside standard IP),
protects entire packet• Popular in routers• Communicating hosts don’t have to implement IPSEC
themselves• Nested tunneling possible
IPS
EC
36
IPSEC Key Management
• ISAKMP– Internet Security Association and Key Management
Protocol• Oakley
– DH-based key management protocol• Photuris
– DH-based key management protocol• SKIP
– Sun’s DH-based key management protocol• Protocols changed considerably over time, most
borrowed ideas from each other
IPS
EC
37
Photuris
Latin for “firefly”, Firefly is the NSA’s key exchange• protocol for STU-III secure phones• Three-stage protocol
– 1. Exchange cookies– 2. Use DH to establish a shared secret Agree on security
parameters– 3. Identify other party
• Authenticate data exchanged in steps 1 and 2• no Change session keys or update security
parameters
Ph
otu
ris
38
…. Photuris
• Cookie based on IP address and port, stops flooding attacks
• • Attacker requests many key exchanges and bogs down host
• (clogging attack)• Cookie depends on
– IP address and port– Secret known only to host– Cookie = hash( source and dest IP and port + local secret )
• Host can recognize a returned cookie– Attacker can’t generate fake cookies
• Later adopted by other IPSEC key management protocols
Ph
otu
ris
39
SKIP
Each machine has a public DH value authenticated via– X.509 certificates– • PGP certificates– • Secure DNS
• Public DH value is used as an implicit shared key• calculation parameter
– • Shared key is used once to exchange encrypted session key
– • Session key is used for further encryption/authentication
• Clean-room non-US version developed by Sun partner in Moscow
• • US government forced Sun to halt further work with non-US version
SK
IP
40
ISAKMP
• NSA-designed protocol to exchange security parameters (but not establish keys)– Protocol to establish, modify, and delete IPSEC
security associations– Provides a general framework for exchanging
cookies, security parameters, and key management and identification information
• Exact details left to other protocols Two phases– 1. Establish secure, authenticated channel (“SA”)– 2. Negotiate security parameters (“KMP”)
ISA
KM
P
41
ISAKMP Formats31
Responder cooki
Initiator Cooki
Message ID
Length
Bits 0 16
Next payload MjVer MnVer Exchange Type Flags
ISAKMP Header
RESERVED Playload LengthNext payload
Generic Payload header
ISA
KM
P
42
ISAKMP/Oakley
• ISAKMP merged with Oakley– • ISAKMP provides the protocol framework– • Oakley provides the security mechanisms
• Combined version clarifies both protocols, resolves ambiguities
ISA
KM
P/O
akle
y
43
ISAKMP/Oakley (ctd)Phase 1 example
Client Server
Client cookieClient IDKey exchange information
Server cookieServer IDKey exchange informationServer signature
Client signature
ISA
KM
P/O
akle
y
44
ISAKMP/Oakley (ctd)
Phase 2 example
Client Server
Encrypted, MAC’dClient nonceSecurity parametersoffered
Encrypted, MAC’dServer nonceSecurity parametersaccepted
Encrypted, MAC’dClient nonceServer nonce
ISA
KM
P/O
akle
y
SS
L
Application E-Commerce protocol Application
E-MailS/MIME, PGP
Higher-level net protocols SSL, TLS,SSH
Higher-level net protocols
Kerberos
TCP/IP IPSEC TCP/IP
Data LinkHardware Link
Data Link
Encryption
Physical Physical
Secure Socket LayerSSL protocol
Security in Transport Layer
46
SSL Protocol
• Secure sockets layer — TCP/IP socket encryption• Usually authenticates server using digital signature• Can authenticate client, but this is never used• Confidentiality protection via encryption• Integrity protection via MAC’s• Provides end-to-end protection of communications
sessions
SS
L
47
SSLS
SL
48
History
• SSLv1 designed by Netscape, broken by members of the audience while it was being presented
• SSLv2 shipped with Navigator 1.0• Microsoft proposed PCT: PCT != SSL• SSLv3 was peer-reviewed, proposed for IETF
Standardization
SS
L
49
SSL Protocol StackS
SL
50
SSL Handshake
1. Negotiate the cipher suite
2. Establish a shared session key
3. Authenticate the server (optional)
4. Authenticate the client (optional)
5. Authenticate previously exchanged data
SS
L
51
SSL Handshake (ctd)
• Client hello:– Client nonce– Available cipher suites (e.g RSA + RC4/40 + MD5)
• Server hello:– Server nonce– Selected cipher suite
• Server adapts to client capabilities• Optional certificate exchange to authenticate
server/client– In practice only server authentication is used
SS
L
52
SSL Handshake (ctd)
• Client key exchange:– RSA-encrypt( premaster secret )
• Both sides:– 48-byte master secret = hash( premaster + client-
nonce +server-nonce )
• Client/server change cipher spec:• Switch to selected cipher suite and key
SS
L
53
SSL Handshake (ctd)
• Client/server finished MAC of previously exchanged parameters (authenticates data from Hello and other exchanges)– – Uses an early version of HMAC
• Can reuse previous session data via session ID’s in Hello• Can bootstrap weak crypto from strong crypto:
• Server has > 512 bit certificate• • Generates 512-bit temporary key• • Signs temporary key with > 512 bit certificate• • Uses temporary key for security
• Maintains separate send and receive states
SS
L
54
SSL Data Transfer
Data
Fragment Fragment Fragment
Compress
MAC
Encrypt
Transmit
Optional
SSL Record Protocol OperationSS
L
55
SSL Characteristics
• Protects the session only• Designed for multiple protocols (HTTP, SMTP, NNTP,
POP3, FTP) but only really used with HTTP• Compute-intensive:
– • 3 CPU seconds on Sparc 10 with 1Kbit RSA key– • 200 MHz NT box allows about a dozen concurrent SSL
handshakes• – Use multiple servers• – Use hardware SSL accelerators
• Crippled crypto predominates• • Strong servers freely available (Apache), but most browsers US-
sourced and crippled
SS
L
56
Strong SSL Encryption
• Most implementations based on SSLeay,– http://www.ssleay.org/Server
• • Some variation of Apache + SSLeay Browser• • Hacked US browser• • Non-US browser• SSL Proxy• • Strong encryption tunnel using SSL
SS
L
57
SS
L
Client-Server SSL
Handshake
Server Gated CryptographySGC
59
SGCServer Gated Cryptography
• Allows strong encryption on a per-server basis
• Originally available only to “qualified financial institutions”, later extended slightly (hospitals, some government departments)
• Requires special SGC server certificate from VeriSign
• Enables strong encryption for one server (www.bank.com)
SG
C
60
SGC (ctd)Exportable SSL
Client ServerHello
Hello + certificate
Weak encryption keyWeak encryption Weak encryption
SSL with SGC
Client ServerHello
Hello + SGC certificateStrong encryption key
Strong encryption Strong encryption
SG
C
Application E-Commerce protocol Application
E-MailS/MIME, PGP
Higher-level net protocols SSL, TLS,SSH
Higher-level net protocols
Kerberos
TCP/IP IPSEC TCP/IP
Data LinkHardware Link
Data Link
Encryption
Physical Physical
Transport Layer ProtocolTLS
62
TLSTransport Layer Security
• IETF-standardised evolution of SSLv3• • Non-patented technology• • Non-crippled crypto• • Updated for newer algorithms Substantially similar to
SSL• • TLS identifies itself as SSL 3.1• TLS standards work,• http://www.consensus.com/ietf-tls/
TL
S