Upload
venkatesh-iyer
View
14.175
Download
0
Embed Size (px)
DESCRIPTION
Basic concepts of network security
Citation preview
Full-service Software Product Development Life Cycle Services
A Security Primer
Venkatesh IyerCreated: 30/11/2005
Full-service Software Product Development Life Cycle Services 2
Security Topics
PGP S/MIME
SSL TLS
IPSec
Cryptography
Symmetric Key
Public Key
Algorithms
Encryption
Digital Signatures
Certificates
Algorithms
Encryption
Key Mgmt
Full-service Software Product Development Life Cycle Services 3
Need for message security
• Privacy– Am I sure no body else knows this?
• Authentication– Am I sure that the sender is genuine and not an
imposter?
• Integrity– Am I sure that the message has not been tampered on
its way?
• Non-repudiation– What will I do if the sender denies sending the message?
Full-service Software Product Development Life Cycle Services
Cryptography
Full-service Software Product Development Life Cycle Services 5
Cryptography
• Jargon– Cryptography means “Secret Writing”– Original message – plaintext– Encrypted message – ciphertext– Encryption and decryption algorithms – ciphers– The number value that the cipher operates on –key
• Types– Symmetric key cryptography – Public key cryptography
Full-service Software Product Development Life Cycle Services 6
Symmetric Key Cryptography
110.ico
Encrypt
Network
110.ico
Decrypt
Shared secret key
• Features– Same key used by sender and receiver– Algorithm for decryption is inverse of the
algorithm used for encryption
Alice Bob
1 2
Full-service Software Product Development Life Cycle Services 7
Symmetric Key (contd.)
• Algorithms– DES (Data Encryption Standard)– Triple DES
• Advantages– Efficient algorithms (takes less time to encrypt and
decrypt)– Simple
• Disadvantages– Each pair must have unique keys. i.e. N people will
require N(N-1)/2 keys– Distribution of keys between two parties can be difficult
Full-service Software Product Development Life Cycle Services 8
Public Key Cryptography
110.ico
Encrypt
Network
110.ico
Decrypt
Bob’s public key
Alice Bob
Bob’s private key
To the public
1
2
• Features– There are two keys: a private key and a public key– The private key is kept by the receiver and the
public key is announced to the public
Full-service Software Product Development Life Cycle Services 9
Public Key (contd.)
• Algorithms– RSA (Rivest, Shamir and Adleman)
• Advantages– Need to distribute only the public key. Private key can
be safely kept– Lesser number of keys i.e. 1 million users may need only
2 million keys (as compared to 500 billion, if they use symmetric key cryptography)
• Disadvantages– Complex algorithms– Association between the public key and the entity must
be verified (need for certificates)
Full-service Software Product Development Life Cycle Services 10
Digital Signatures
• Features– Enables integrity, authentication and non-repudiation– Private keys are used to sign a message (or hash)– Public keys are used to verify the signatures
• Hash Functions– Signing the whole message is inefficient– Hash functions are used to create a unique digest of the
message– Popular hashing algorithms are SHA-1 (secure hash
algorithm) and MD5 (message digest)
Full-service Software Product Development Life Cycle Services 11
Digital Signatures (contd.)
110.ico
Alice
Hash Function
Digest
Encrypt
Alice’s private key
+110.ico
Signed Digest
Message plus Signed Digest
To Bob
1
2
3
Sender site
Full-service Software Product Development Life Cycle Services 12
Digital Signatures (contd.)
110.ico
Receiver site
Bob
From Alice
Decrypt Hash Function
Digest
Alice’s public key
DigestX
Compare
4 5
6
Full-service Software Product Development Life Cycle Services 13
Key Management
• In symmetric key systems:– We need a mechanism to share the key between sender
and receiver, and also reduce the number of keys– In some cases, public key systems also use symmetric
key to encrypt a message and encrypt the key using public key
– Solution: session keys. Symmetric keys are created for a session and destroyed when the session is over
– Techniques for key management:» Deffie Hellman method» Key distribution center (Needham-Schroeder protocol and
Otway-Rees protocol)
Full-service Software Product Development Life Cycle Services 14
Key Management (contd.)
• In public key systems:– Alice needs to know whether Bob’s public key is genuine– Solution: Certificates
– Bob goes to a Certification Authority (CA), e.g. VeriSign, which binds Bob’s public key to an entity called certificate.
– Certificate is signed by CA, which has a well known public key, and hence cannot be forged.
– Alice can verify the CA’s signature and hence be sure about Bob’s public key
Full-service Software Product Development Life Cycle Services 15
Certificates
• Certificate is described by X.509 protocol• X.509 uses ASN.1 (Abstract Syntax Notation 1) to define the
fields• X.509 fields:
Field Explanation
Version Version number of X.509
Serial Number The unique identifier used by the CA
Signature The certificate signature
Issuer The name of the CA defined by X.509
Validity Period
Start and end period that certificate is valid
Subject Name The entity whose public key is being certified
Public Key The subject public key and the algorithms that use it
Full-service Software Product Development Life Cycle Services 16
Chain of Trust
• Query propagation similar to DNS queries • At any level, the CA can certify performance of CAs in the
next level i.e. level-1 CA can certify level-2 CAs.• Thumb-rule: Everyone trusts Root CA
Root CA
Level-1CA 1
Level-2CA 3
Level-2CA 4
Level-2CA 5
Level-2CA 6
Level-2CA 2
Level-2CA 1
Level-1CA 2
Full-service Software Product Development Life Cycle Services
Security at IP Level
Full-service Software Product Development Life Cycle Services 18
IPSec – IP Security
• Secures the IP packet by adding additional header
• Selection of encryption, authentication and hashing methods left to the user
• It requires a logical connection between two hosts, achieved using Security Association (SA)
• An SA is defined by:– A 32-bit security parameter index (SPI)– Protocol type: Authentication Header (AH) Or Encapsulating
Security Payload (ESP)– The source IP address
IP HeaderIPSec Header Rest of the PacketNew IP Header
IP Header IPSec Header Rest of the Packet Transport Mode
Tunnel Mode
OR
Full-service Software Product Development Life Cycle Services
Security at Transport Layer
Full-service Software Product Development Life Cycle Services 20
Secure Sockets Layer (SSL)
• Developed by Netscape• Used to establish secure connection between two parties• Protocol similar to TLS (p.t.o)• OpenSSL (www.openssl.org) provides libraries which
implement SSL and TLS • Several application layer security protocols run on top of
SSL. E.g. Secure HTTP (https)
Full-service Software Product Development Life Cycle Services 21
Transport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:
– Handshake Protocol
– Data exchange protocol
– Uses secret key to encrypt data.
– Secret key already shared during handshake
Hello
Certificate
Secret key
End Handshaking
Encrypted Ack
Client Server
Full-service Software Product Development Life Cycle Services 22
Transport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:
– Handshake Protocol
– Data exchange protocol
– Uses secret key to encrypt data.
– Secret key already shared during handshake
Hello
Certificate
Secret key
End Handshaking
Encrypted Ack
Client Server
Browser sends a hello message that includes TLS version and other
preferences
Full-service Software Product Development Life Cycle Services 23
Transport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:
– Handshake Protocol
– Data exchange protocol
– Uses secret key to encrypt data.
– Secret key already shared during handshake
Hello
Certificate
Secret key
End Handshaking
Encrypted Ack
Client Server
Server sends a certificate that has its
public key
Full-service Software Product Development Life Cycle Services 24
Transport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:
– Handshake Protocol
– Data exchange protocol
– Uses secret key to encrypt data.
– Secret key already shared during handshake
Hello
Certificate
Secret key
End Handshaking
Encrypted Ack
Client Server
Browser verifies the certificate. It generates a
session key, encrypts with server’s public key
and sends it to the server
Full-service Software Product Development Life Cycle Services 25
Transport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:
– Handshake Protocol
– Data exchange protocol
– Uses secret key to encrypt data.
– Secret key already shared during handshake
Hello
Certificate
Secret key
End Handshaking
Encrypted Ack
Client Server
Browser sends handshake terminating message, encrypted by
the secret key
Full-service Software Product Development Life Cycle Services 26
Transport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:
– Handshake Protocol
– Data exchange protocol
– Uses secret key to encrypt data.
– Secret key already shared during handshake
Hello
Certificate
Secret key
End Handshaking
Encrypted Ack
Client Server
Server decrypts secret key with its private key.
Uses secret key to decode message ad sends encrypted ack
Full-service Software Product Development Life Cycle Services
Security at Application Layer
Full-service Software Product Development Life Cycle Services 28
Pretty Good Privacy (PGP)
110.ico
Alice
Hash Function
Digest
Encrypt
Alice’s private key
+110.ico
Signed Digest
Message plus Signed Digest
Encrypted (secret key & message + digest) to Bob
1
2
3Encrypt
Bob’s public key
Encrypt
One-time secret key
+
4
5
6
Sender site
Full-service Software Product Development Life Cycle Services 29
Pretty Good Privacy (PGP)
110.ico
Alice
Hash Function
Digest
Encrypt
Alice’s private key
+110.ico
Signed Digest
Message plus Signed Digest
Encrypted (secret key & message + digest) to Bob
1
2
3Encrypt
Bob’s public key
Encrypt
One-time secret key
+
4
5
6
Sender site
Email message is hashed to create digest
Full-service Software Product Development Life Cycle Services 30
Pretty Good Privacy (PGP)
110.ico
Alice
Hash Function
Digest
Encrypt
Alice’s private key
+110.ico
Signed Digest
Message plus Signed Digest
Encrypted (secret key & message + digest) to Bob
1
2
3Encrypt
Bob’s public key
Encrypt
One-time secret key
+
4
5
6
Sender site
Digest is encrypted using Alice’s private key
Full-service Software Product Development Life Cycle Services 31
Pretty Good Privacy (PGP)
110.ico
Alice
Hash Function
Digest
Encrypt
Alice’s private key
+110.ico
Signed Digest
Message plus Signed Digest
Encrypted (secret key & message + digest) to Bob
1
2
3Encrypt
Bob’s public key
Encrypt
One-time secret key
+
4
5
6
Sender site
Signed digest added to the message
Full-service Software Product Development Life Cycle Services 32
Pretty Good Privacy (PGP)
110.ico
Alice
Hash Function
Digest
Encrypt
Alice’s private key
+110.ico
Signed Digest
Message plus Signed Digest
Encrypted (secret key & message + digest) to Bob
1
2
3Encrypt
Bob’s public key
Encrypt
One-time secret key
+
4
5
6
Sender site
The message and digest are encrypted using one
time secret key created by Alice
Full-service Software Product Development Life Cycle Services 33
Pretty Good Privacy (PGP)
110.ico
Alice
Hash Function
Digest
Encrypt
Alice’s private key
+110.ico
Signed Digest
Message plus Signed Digest
Encrypted (secret key & message + digest) to Bob
1
2
3Encrypt
Bob’s public key
Encrypt
One-time secret key
+
4
5
6
Sender site
The secret key is encrypted using Bob’s public key
Full-service Software Product Development Life Cycle Services 34
Pretty Good Privacy (PGP)
110.ico
Alice
Hash Function
Digest
Encrypt
Alice’s private key
+110.ico
Signed Digest
Message plus Signed Digest
Encrypted (secret key & message + digest) to Bob
1
2
3Encrypt
Bob’s public key
Encrypt
One-time secret key
+
4
5
6
Sender site
The encrypted message, digest and secret key is sent
to Bob
Full-service Software Product Development Life Cycle Services 35
PGP (contd.)
110.ico
Receiver site
Bob
Decrypt Hash Function
Digest
Alice’s public key
DigestX
Compare
9 10
11
Encrypted (secret key & message + digest)
Bob’s private key
Decrypt
Decrypt
Encrypted (message + digest)
One-time secret key
7
8
Full-service Software Product Development Life Cycle Services 36
PGP (contd.)
110.ico
Receiver site
Bob
Decrypt Hash Function
Digest
Alice’s public key
DigestX
Compare
9 10
11
Encrypted (secret key & message + digest)
Bob’s private key
Decrypt
Decrypt
Encrypted (message + digest)
One-time secret key
7
8
Bob decrypts the secret key with his private key
Full-service Software Product Development Life Cycle Services 37
PGP (contd.)
110.ico
Receiver site
Bob
Decrypt Hash Function
Digest
Alice’s public key
DigestX
Compare
9 10
11
Encrypted (secret key & message + digest)
Bob’s private key
Decrypt
Decrypt
Encrypted (message + digest)
One-time secret key
7
8
Bob decrypts the encrypted message and digest using the decrypted secret key
Full-service Software Product Development Life Cycle Services 38
PGP (contd.)
110.ico
Receiver site
Bob
Decrypt Hash Function
Digest
Alice’s public key
DigestX
Compare
9 10
11
Encrypted (secret key & message + digest)
Bob’s private key
Decrypt
Decrypt
Encrypted (message + digest)
One-time secret key
7
8
Bob decrypts the encrypted digest with Alice’s public key
Full-service Software Product Development Life Cycle Services 39
PGP (contd.)
110.ico
Receiver site
Bob
Decrypt Hash Function
Digest
Alice’s public key
DigestX
Compare
9 10
11
Encrypted (secret key & message + digest)
Bob’s private key
Decrypt
Decrypt
Encrypted (message + digest)
One-time secret key
7
8
Bob hashes the received message to create a digest
(for message integrity)
Full-service Software Product Development Life Cycle Services 40
PGP (contd.)
110.ico
Receiver site
Bob
Decrypt Hash Function
Digest
Alice’s public key
DigestX
Compare
9 10
11
Encrypted (secret key & message + digest)
Bob’s private key
Decrypt
Decrypt
Encrypted (message + digest)
One-time secret key
7
8
The two digests are compared, thus providing
authentication and integrity
Full-service Software Product Development Life Cycle Services 41
Sample PGP Signature
From: [email protected]: Mon, 16 Nov 1998 19:03:30 -0600Subject: Message signed with PGPMIME-Version: 1.0Content-Type: text/plain; charset=US-ASCIIContent-Transfer-Encoding: 7bitContent-Description: "cc:Mail Note Part"
-----BEGIN PGP SIGNED MESSAGE-----
Bob,
This is a message signed with PGP, so you can see how much overhead PGPsignatues introduce. Compare this with a similar message signed with S/MIME.
Alice
-----BEGIN PGP SIGNATURE-----Version: PGP for Personal Privacy 5.0Charset: noconv
iQCVAwUBM+oTwFcsAarXHFeRAQEsJgP/X3noON57U/6XVygOFjSY5lTpvAduPZ8MaIFalUkCNuLLGxmtsbwRiDWLtCeWG3k+7zXDfx4YxuUcofGJn0QaTlk8b3nxADL0O/EIvC/k8zJ6aGaPLB7rTIizamGOt5n6/08rPwwVkRB03tmT8UNMAUCgoM02d6HXrKvnc2aBPFI==mUaH-----END PGP SIGNATURE-----
Full-service Software Product Development Life Cycle Services 42
S/MIME
• Working principle similar to PGP• S/MIME uses multipart MIME type to include the cryptographic
information with the message• S/MIME uses Cryptographic Message Syntax (CMS) to specify the
cryptographic information • Creating S/MIME message:
MIME Entity
CMS Object S/MIMECertificates
Algo identifiers
CMS Processing
MIME Wrapping
Full-service Software Product Development Life Cycle Services 43
Sample SMIME SignatureFrom: [email protected]: Mon, 16 Nov 1998 19:03:08 -0600Subject: Message signed with S/MIMEMIME-Version: 1.0Content-Type: multipart/mixed; boundary="simple boundary"
--simple boundaryContent-Type: text/plain; charset=US-ASCIIContent-Transfer-Encoding: 7bitContent-Description: "cc:Mail Note Part"
Bob,
This is a message signed with S/MIME, so you can see how much overhead S/MIMEsignatures introduce. Compare this with a similar message signed with PGP.
Alice
--simple boundaryContent-Type: application/octet-stream; name="smime.p7s"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="smime.p7s"
MIIQQwYJKoZIhvcNAQcCoIIQNDCCEDACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCDnwwggnGMIIJL6ADAgECAhBQQRR9a+DX0FHXfQOVHQhPMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzAxMjcwMDAwMDBaFw05ODAxMjcyMzU5NTlaMIIBFzERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMUYwRAYD
Full-service Software Product Development Life Cycle Services 44
Sample SMIME SignatureUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQaot3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zsuts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXGnAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzpLFC/pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiHmgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6gdTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJM8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRzO8QxggGPMIIBiwIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQUEEUfWvg19BR130DlR0ITzAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwIwYJKoZIhvcNAQkEMRYEFE5W9YE9GtbjlD5A52LLaEi96zCKMBwGCSqGSIb3DQEJBTEPFw05NzA4MDcxODQwMTBaMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEDI3mvHr3SAJkdoMqxZnSjJ+5gfZABJGQVOfyEfcKncY/RYFvWuHBAEBySImIQZjMgMNrQLL7QXJ/eIxIwDet+c
--simple boundary--
Full-service Software Product Development Life Cycle Services
References
Full-service Software Product Development Life Cycle Services 46
References
• Overview of cryptography: – www.rsalabs.com/faq/– http://www.faqs.org/faqs/cryptography-faq/part06/
• Implementation of SSL and TSL: – www.openssl.org
• S/MIME Internet task force: – www.imc.org/ietf-smime/index.html
• Relationship between S/MIME and PGP/MIME: – www.imc.org/smime-pgpmime.html