Internet security protocols

Transcription

1 Internet security protocols S E G U R A N Ç A R E D E S E D A D O S / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Slides are by Mark Stamp Information Security: Principles and Practice 2nd edition (Wiley 2011). Some other slides from Dr Lawrie Brown (UNSW@ADFA) for Computer Security: Principles and Practice, 1/e, by William Stallings and Lawrie Brown With some minor changes/additions 2 Security Protocols 1

2 Protocol Human protocols the rules followed in human interactions Example: Asking a question in class Networking protocols rules followed in networked communication systems Examples: HTTP, FTP, etc. Security protocol the (communication) rules followed in a security application Examples: SSL, IPsec, Kerberos, etc. 3 Protocols Protocol flaws can be very subtle Several well-known security protocols have significant flaws Including WEP, GSM, and even IPsec Implementation errors can occur Such as IE implementation of SSL (CVE ) Not easy to get protocols right 4 Security Protocols 2

3 Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Robust Works when attacker tries to break it Works even if environment changes Easy to use & implement, flexible Difficult to satisfy all of these! 5 Simple Security Protocols Security Protocols 3

4 Secure Entry to NSA 1. Insert badge into reader 2. Enter PIN 3. Correct PIN? Yes? Enter No? Get shot by security guard 7 1. Insert ATM card 2. Enter PIN ATM Machine Protocol 3. Correct PIN? Yes? Conduct your transaction(s) No? Machine (eventually) eats card 8 Security Protocols 4

5 Identify Friend or Foe (IFF) 9 Russian MIG Angola SAAF Impala K 1. N 2. E(N,K) Namibia K MIG in the Middle N SAAF Impala K 4. E(N,K) 2. N Angola 5. E(N,K) Russian MiG 1. N 6. E(N,K) Namibia K Security Protocols 5

6 Authentication Protocols Authentication Alice must prove her identity to Bob Alice and Bob can be humans or computers May also require Bob to prove he s Bob (mutual authentication) Probably need to establish a session key May have other requirements, such as Use public keys Use symmetric keys Use hash functions Anonymity, plausible deniability, etc., etc. 12 Security Protocols 6

7 Authentication Authentication on a stand-alone computer is relatively simple Hash password with salt, etc. Secure path, attacks on authentication software, keystroke logging, etc., are issues Authentication over a network is challenging Attacker can passively observe messages Attacker can replay messages Active attacks possible (insert, delete, change) 13 Simple Authentication 14 I m Alice Prove it My password is frank Alice Bob Simple and may be OK for standalone system But insecure for networked system Subject to a replay attack (next 2 slides) Also, Bob must know Alice s password Security Protocols 7

8 Authentication Attack 15 I m Alice Prove it My password is frank Alice Bob Trudy Authentication Attack 16 I m Alice Prove it My password is frank Trudy Bob This is an example of a replay attack How can we prevent a replay? Security Protocols 8

9 Better Authentication 17 I m Alice Prove it h(alice s password) Alice Bob Better since it hides Alice s password From both Bob and Trudy Subject to replay? YES Challenge-Response To prevent replay, use challenge-response Goal is to ensure freshness Suppose Bob wants to authenticate Alice Challenge sent from Bob to Alice Challenge is chosen so that Replay is not possible Only Alice can provide the correct response Bob can verify the response 18 Security Protocols 9

10 Nonce To ensure freshness, can employ a nonce Nonce == number used once What to use for nonces? That is, what is the challenge? What should Alice do with the nonce? That is, how to compute the response? How can Bob verify the response? Should we rely on passwords or keys? 19 Challenge-Response 20 I m Alice Nonce h(alice s password, Nonce) Alice Nonce is the challenge The hash is the response Nonce prevents replay, ensures freshness Password is something Alice knows Bob must know Alice s pwd to verify Bob Security Protocols 10

11 Authentication protocols Segurança de Redes e Dados 2012/13 Generic Challenge-Response 21 I m Alice Nonce Something that could only be Alice from Alice (and Bob can verify) Bob In practice, how to achieve this? Hashed pwd works Encryption is better here (Why?) 22 Symmetric Keys Security Protocols 11

12 Symmetric Key Notation Encrypt plaintext P with key K C = E(P,K) Decrypt ciphertext C with key K P = D(C,K) Here, we are concerned with attacks on protocols, not attacks on crypto We assume crypto algorithms secure 23 Authentication: Symmetric Key Alice and Bob share symmetric key K Key K known only to Alice and Bob Authenticate by proving knowledge of shared symmetric key How to accomplish this? 24 Must not reveal key, must not allow replay (or other) attack, must be verifiable, Security Protocols 12

13 Authentication with Symmetric Key 25 I m Alice R Alice, K E(R,K) Bob, K Secure method for Bob to authenticate Alice Alice does not authenticate Bob So, can we achieve mutual authentication? Mutual Authentication? 26 I m Alice, R E(R,K) Alice, K E(R,K) Bob, K What s wrong with this picture? Alice could be Trudy (or anybody else)! Security Protocols 13

14 Mutual Authentication Since we have a secure one-way authentication protocol The obvious thing to do is to use the protocol twice Once for Bob to authenticate Alice Once for Alice to authenticate Bob This has got to work 27 Mutual Authentication 28 I m Alice, R A R B, E(R A, K) E(R B, K) Alice, K Bob, K This provides mutual authentication or does it? Security Protocols 14

15 Mutual Authentication Attack I m Alice, R A 2. R B, E(R A, K) Trudy Bob, K 3. I m Alice, R B 4. R C, E(R B, K) Trudy Bob, K Mutual Authentication Our one-way authentication protocol is not secure for mutual authentication Protocols are subtle! The obvious thing may not be secure Also, if assumptions or environment change, protocol may not be secure This is a common source of security failure 30 For example, Internet protocols Security Protocols 15

16 Authentication protocols Segurança de Redes e Dados 2012/13 Symmetric Key Mutual Authentication 31 I m Alice, R A R B, E( Bob,R A,K) E( Alice,R B,K) Alice, K Bob, K Do these insignificant changes help? Yes! 32 Public Keys Security Protocols 16

17 Public Key Notation 33 Encrypt M with Alice s public key: {M} Alice Sign M with Alice s private key: [M] Alice Then [{M} Alice ] Alice = M {[M] Alice } Alice = M Anybody can use Alice s public key Only Alice can use her private key Public Key Authentication 34 I m Alice {R} Alice R Alice Bob Is this secure? Trudy can get Alice to decrypt anything! So, should have two key pairs Security Protocols 17

18 Public Key Authentication 35 I m Alice R [R] Alice Alice Is this secure? Trudy can get Alice to sign anything! Same as previous should have two key pairs Bob Public Keys Generally, a bad idea to use the same key pair for encryption and signing Instead, should have one key pair for encryption/decryption and a different key pair for signing/verifying signatures 36 Security Protocols 18

19 Session Key Usually, a session key is required I.e., a symmetric key for a particular session Used for confidentiality and/or integrity How to authenticate and establish a session key (i.e., shared symmetric key)? When authentication completed, want Alice and Bob to share a session key Trudy cannot break the authentication and Trudy cannot determine the session key 37 Authentication & Session Key 38 I m Alice, R {R,K} Alice Alice {R +1,K} Bob Bob Is this secure? Alice is authenticated and session key is secure Alice s nonce, R, useless to authenticate Bob The key K is acting as Bob s nonce to Alice No mutual authentication Security Protocols 19

20 Public Key Authentication and Session Key 39 I m Alice, R [R,K] Bob [R +1,K] Alice Alice Bob Is this secure? Mutual authentication (good), but session key is not secret (very bad) Public Key Authentication and Session Key 40 I m Alice, R {[R,K] Bob } Alice {[R +1,K] Alice } Bob Alice Is this secure? Seems to be OK Mutual authentication and session key! Bob Security Protocols 20

21 Authentication protocols Public Key Authentication and Session Key 41 I m Alice, R [{R,K} Alice ] Bob [{R +1,K} Bob ] Alice Alice Is this secure? Seems to be OK Bob Anyone can see {R,K} Alice and {R +1,K} Bob 42 Public Keys and TimeStamps as nonces Security Protocols 21

22 Timestamps A timestamp T is derived from current time Timestamps used in some security protocols Kerberos, for example Timestamps reduce number of msgs (good) Like a nonce that both sides know in advance Time is a security-critical parameter (bad) Clocks never exactly the same, so must allow for clock skew creates risk of replay How much clock skew is enough? 43 Public Key Authentication with Timestamp T 44 I m Alice, {[T, K] Alice } Bob {[T +1, K] Bob } Alice Alice Bob Secure mutual authentication? Session key? Seems to be OK Security Protocols 22

23 Public Key Authentication with Timestamp T 45 I m Alice, [{T, K} Bob ] Alice [{T +1, K} Alice ] Bob Alice Bob Secure authentication and session key? Trudy can use Alice s public key to find {T, K} Bob and then Public Key Authentication with Timestamp T 46 I m Trudy, [{T, K} Bob ] Trudy [{T +1, K} Trudy ] Bob Trudy Bob Trudy obtains Alice-Bob session key K Note: Trudy must act within clock skew Security Protocols 23

24 Public Key Authentication Sign and encrypt with nonce Secure Encrypt and sign with nonce Secure Sign and encrypt with timestamp Secure Encrypt and sign with timestamp Insecure Protocols can be subtle! 47 Public Key Authentication with Timestamp T 48 I m Alice, [{T, K} Bob ] Alice [{T +1} Alice ] Bob Alice Bob Is this encrypt and sign secure? o Yes, seems to be OK Does sign and encrypt also work here? Security Protocols 24

25 Zero Knowledge Proofs Zero Knowledge Proof (ZKP) Alice wants to prove that she knows a secret without revealing any info about it Bob must verify that Alice knows secret But Bob gains no info about the secret Process is probabilistic 50 Bob can verify that Alice knows the secret to an arbitrarily high probability An interactive proof system Security Protocols 25

26 Bob s Cave Alice knows secret phrase to open path between R and S ( open sarsaparilla ) Can she convince Bob that she knows the secret without revealing phrase? 51 P Q R S Bob s Cave 52 Bob: Alice come out on S side Alice (quietly): Open sarsaparilla If Alice does not know the secret then Alice could come out from the correct side with probability ½ If Bob repeats this n times, then Alice (who does not know secret) can only fool Bob with probability 1/2 n Q P R S Security Protocols 26

27 Fiat-Shamir Protocol Cave-based protocols are inconvenient Can we achieve same effect without the cave? Finding square roots modulo N is difficult Equivalent to factoring Suppose N = pq, where p and q prime Alice has a secret S N and v=s 2 mod N are public, S is secret Alice must convince Bob that she knows S without revealing any information about S 53 Alice secret S random r Fiat-Shamir Public: Modulus N and v=s 2 mod N Alice selects random r, Bob chooses e {0,1} 54 x = r 2 mod N e {0,1} y = r S e mod N Bob must verify: y 2 = x v e mod N Why? Because y 2 = r 2 S 2e = r 2 (S 2 ) e = x v e mod N Bob random e Security Protocols 27

28 Fiat-Shamir: e = 1 Alice secret S random r x = r 2 mod N e = 1 y = r S mod N Public: Modulus N and v=s 2 mod N Alice selects random r, Bob chooses e =1 If y 2 =x v mod N then Bob accepts it I.e., Alice passes this iteration of the protocol Note that Alice must know S in this case 55 Bob random e Alice secret S random r Fiat-Shamir: e = 0 x = r 2 mod N e = 0 Public: Modulus N and v=s 2 mod N Alice selects random r, Bob chooses e = 0 Bob must check whether y 2 = x mod N Alice does not need to know S in this case! 56 y = r mod N Bob random e Security Protocols 28

29 Fiat-Shamir Public: modulus N and v = S 2 Secret: Alice knows S mod N Alice selects random r and commits to r by sending x=r 2 mod N to Bob Bob sends challenge e {0,1} to Alice Alice responds with y=r S e Bob checks whether y 2 =x v e mod N mod N Does this prove response is from Alice? 57 Does Fiat-Shamir Work? If everyone follows protocol, math works: Public: v=s 2 mod N Alice to Bob: x=r 2 mod N and y=r S e mod N Bob verifies: y 2 =x v e mod N 58 Security Protocols 29

30 Does Fiat-Shamir Work? Can Trudy convince Bob she is Alice? If Trudy expects e=0, she sends x=r 2 in msg 1 and y=r in msg 3 (i.e., follow the protocol) If Trudy expects e=1, sends x=r 2 v 1 in msg 1 and y=r in msg 3 If Bob chooses e {0,1} at random, Trudy can only trick Bob with probability ½ 59 This can be improved by making S 1, S 2, S n and e 1, e 2, e n. And then y=r S 1 e1 S 2 e2 S n en mod N Fiat-Shamir Facts Trudy can trick Bob with probability 1/2, but after n iterations, the probability that Trudy can convince Bob that she is Alice is only 1/2 n Just like Bob s cave! Bob s e {0,1} must be unpredictable Alice must use new r each iteration, or else If e=0, Alice sends r mod N in message 3 If e=1, Alice sends r S mod N in message 3 Anyone can find S given r mod N and r S mod N 60 Security Protocols 30

31 Fiat-Shamir Zero Knowledge? Zero knowledge means that nobody learns anything about the secret S Public: v = S 2 mod N Trudy sees r 2 mod N in message 1 Trudy sees r S mod N in message 3 (if e = 1) If Trudy can find r from r 2 But that requires modular square root mod N, gets S If Trudy could find modular square roots, she could get S from public v Protocol does not seem to help to find S 61 ZKP in the Real World Public key certificates identify users No anonymity if certificates sent in plaintext ZKP offers a way to authenticate without revealing identities ZKP supported in MS s Next Generation Secure Computing Base (NGSCB), where 62 ZKP used to authenticate software without revealing machine identifying data ZKP is not just pointless mathematics! Security Protocols 31

32 It depends on Best Authentication Protocol? The sensitivity of the application/data The delay that is tolerable The cost (computation) that is tolerable What crypto is supported (public key, symmetric key, ) Whether mutual authentication is required Whether PFS, anonymity, etc., are concern and possibly other factors 63 Real world Protocols Security Protocols 32

33 Real world protocols Internet Security Protocols and Standards Secure Sockets Layer (SSL) / Transport Layer Security (TLS) IPsec S/MIME (Secure/Multipurpose Internet Mail Extension) Protocols SSL Security Protocols 33

34 What is SSL? 67 SSL is the protocol used for majority of secure transactions on the Internet For example, if you want to buy a book at amazon.com You want to be sure you are dealing with Amazon (authentication) Your credit card information must be protected in transit (confidentiality and/or integrity) As long as you have money, Amazon doesn t really care who you are So, no need for mutual authentication Secure Sockets Layer (SSL) 68 Transport layer security service originally developed by Netscape version 3 designed with public input Subsequently became Internet standard RFC2246: Transport Layer Security (TLS) Current version is TLS 1.2 RFC5246 Use TCP to provide a reliable end-to-end service May be provided in underlying protocol suite or embedded in specific packages Security Protocols 34

35 SSL Protocol Stack 69 Socket layer lives between application and transport layers SSL usually between HTTP and TCP Application Transport Network Logic Physical SSL SSL Record Protocol Services message integrity using a MAC with shared secret key similar to HMAC but with different padding confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 TSL1.2: IDEA and DES remove as cipher suites TSL1.2: RC4 is 128, RC2 removed message is compressed before encryption 70 Security Protocols 35

36 SSL Record Protocol Operation 71 Simple SSL-like Protocol 72 I d like to talk to you securely Here s my certificate {K} Bob Alice protected HTTP Bob Is Alice sure she s talking to Bob? Is Bob sure he s talking to Alice? Security Protocols 36

37 Simplified SSL Protocol 73 Can we talk?, cipher list, R A certificate, cipher, R B {S} Bob, E(h(msgs,CLNT,K),K) h(msgs,srvr,k) Alice Data protected with key K Bob S is known as pre-master secret K = h(s,r A,R B ) msgs means all previous messages CLNT and SRVR are constants SSL Keys 6 keys derived from K = h(s,r A,R B ) 2 encryption keys: send and receive 2 integrity keys: send and receive 2 IVs: send and receive 74 Why different keys in each direction? Q: Why is h(msgs,clnt,k) encrypted? A: Apparently, it adds no security Security Protocols 37

38 SSL Authentication Alice authenticates Bob, not vice-versa How does client authenticate server? Why would server not authenticate client? Mutual authentication is possible: Bob sends certificate request in message 2 Then client must have a valid certificate 75 If server wants to authenticate client, server could instead require password SSL MITM Attack? 76 R A R A certificate T, R B certificate B, R B {S 1 } Trudy,E(X 1,K 1 ) {S 2 } Bob,E(X 2,K 2 ) h(y 1,K 1 ) h(y 2,K 2 ) Alice E(data,K 1 ) Trudy E(data,K 2 ) Bob Q: What prevents this MITM attack? A: Bob s certificate must be signed by a certificate authority (CA) What does browser do if signature not valid? What does user do when browser complains? Security Protocols 38

39 SSL Sessions vs Connections SSL session is established as shown on previous slides SSL designed for use with HTTP 1.0 HTTP 1.0 often opens multiple simultaneous (parallel) connections Multiple connections per session SSL session is costly, public key operations SSL has an efficient protocol for opening new connections given an existing session 77 Several flaws on SSL RFC 6176 prohibits the use of SSL v2.0 in TLS due to: Message authentication uses MD5 (see RFC6151) Handshake messages are not protected. This permits a manin-the-middle to trick the client into picking a weaker cipher suite than it would normally choose. Message integrity and message encryption use the same key, which is a problem if the client and server negotiate a weak encryption algorithm. Sessions can be easily terminated. A man-in-the-middle can easily insert a TCP FIN to close the session, and the peer is unable to determine whether or not it was a legitimate end of the session. Security Protocols 39

40 Real world protocols Segurança de Redes e Dados 2012/13 79 Protocols IPsec IP Security various application security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS security concerns cross protocol layers hence would like security implemented by the network for all applications authentication & encryption security features included in next-generation IPv6 also usable in existing IPv4 80 Security Protocols 40

41 general IP Security mechanisms provides authentication confidentiality key management IPsec applicable to use over LANs, across public & private WANs, & for the Internet 81 Application Transport Network Logic Physical IPsec IPsec Uses 82 Security Protocols 41

42 Benefits of IPsec in a firewall/router provides strong security to all traffic crossing the perimeter in a firewall/router is resistant to bypass is below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users secures routing architecture 83 IP Security Architecture 84 mandatory in IPv6, optional in IPv4 have two security header extensions: Authentication Header (AH) Encapsulating Security Payload (ESP) Key Exchange function VPNs want both authentication/encryption hence usually use ESP specification is quite complex numerous RFC s 4301/4302/4303/5996 Two modes: Transport mode: add info/security to original packet Tunnel mode: protect the original packet by encapsulating it in new IP packet Security Protocols 42

43 Security Associations a one-way relationship between sender & receiver that affords security for traffic flow defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier has a number of other parameters seq no, AH & ESP info, lifetime etc have a database of Security Associations 85 IPsec Transport Mode IPsec Transport Mode 86 IP header data IP header ESP/AH data Transport mode designed for host-to-host Transport mode is efficient Adds minimal amount of extra header The original header remains Passive attacker can see who is talking Security Protocols 43

44 IPsec transport mode IPsec: Host-to-Host 87 There may be firewalls in between if so, is that a problem? IPsec Tunnel Mode IPsec Tunnel Mode 88 IP header data new IP hdr ESP/AH IP header data Tunnel mode for firewall-to-firewall traffic Original IP packet encapsulated in IPsec Original IP header not visible to attacker New IP header from firewall to firewall Attacker does not know which hosts are talking Security Protocols 44

45 IPsec tunnel mode IPsec: Firewall-to-Firewall 89 No IPsec Alice s Firewall IPsec Internet Bob s Firewall No IPsec Alice Bob Local networks unprotected So, is there any advantage here? IPsec Security What kind of protection? Confidentiality? Integrity? Both? What to protect? Data? Header? Both? 90 ESP/AH do some combinations of these Security Protocols 45

46 AH vs ESP AH Authentication Header Integrity only (no confidentiality) Integrity-protect everything beyond IP header and some fields of header (why not all fields?) ESP Encapsulating Security Payload Integrity and confidentiality both required Protects everything beyond IP header Integrity-only by using NULL encryption 91 According to RFC 2410 ESP s NULL Encryption Null(P,K) = P for any P and any key K NULL encryption is a block cipher the origins of which appear to be lost in antiquity Despite rumors, there is no evidence that NSA suppressed publication of this algorithm Evidence suggests it was developed in Roman times as exportable version of Caesar s cipher Can make use of keys of varying length No IV is required 92 The bottom line: Security people are strange It is from November not an April RFC Security Protocols 46

47 Authentication Header AH Transport Mode Source: Stephen J. Friedl, IPsec illustrated Guide Security Protocols 47

48 95 AH Tunnel mode Source: Stephen J. Friedl, Ipsec illustrated Guide 96 AH and NAT Source: Stephen J. Friedl, Ipsec illustrated Guide Security Protocols 48

49 Encapsulating Security Payload (ESP) ESP Transport mode Source: Stephen J. Friedl, Ipsec illustrated Guide Security Protocols 49

50 99 ESP - Tunnel Mode Source: Stephen J. Friedl, Ipsec illustrated Guide Why Does AH Exist? (1) 100 Cannot encrypt IP header Routers must look at the IP header IP addresses, TTL, etc. IP header exists to route packets! AH protects immutable fields in IP header Cannot integrity protect all header fields TTL, for example, will change ESP does not protect IP header at all Security Protocols 50

51 Why Does AH Exist? (2) ESP encrypts everything beyond the IP header (if non-null encryption) If ESP-encrypted, firewall cannot look at TCP header (e.g., port numbers) Why not use ESP with NULL encryption? 101 Firewall sees ESP header, but does not know whether null encryption is used End systems know, but not the firewalls Why Does AH Exist? (3) 102 The real reason why AH exists: At one IETF meeting someone from Microsoft gave an impassioned speech about how AH was useless everyone in the room looked around and said `Hmm. He s right, and we hate AH also, but if it annoys Microsoft let s leave it in since we hate Microsoft more than we hate AH. Security Protocols 51

52 Key Management handles key generation & distribution typically need 2 pairs of keys A pair per direction for AH & ESP manual key management sysadmin manually configures every system automated key management automated system for on demand creation of keys for SA s in large systems has Oakley & ISAKMP elements Internet Security Association and Key Management Protocol Uses Inter Key Exchange protocol (IKE) RFC IKE has 2 phases IKE 104 Phase 1 IKE security association (SA) Phase 2 AH/ESP security association Phase 1 is comparable to SSL session Phase 2 is comparable to SSL connection Not an obvious need for two phases in IKE If multiple Phase 2 s do not occur, then it is more costly to have two phases! Security Protocols 52

53 Result of IKE phase 1 is Mutual authentication Shared symmetric key IKE Phase 1 Summary IKE Security Association (SA) But phase 1 is expensive 105 Especially in public key and/or main mode Developers of IKE thought it would be used for lots of things not just IPsec Partly explains the over-engineering Plausible Deniability in Phase 1 Trudy can create conversation that appears to be between Alice and Bob Public Key main and aggressive mode Appears valid, even to Alice and Bob! A security failure? 106 In this mode of IPSec, it is a feature Plausible deniability: Alice and Bob can deny that any conversation took place! In some cases it might create a problem E.g., if Alice makes a purchase from Bob, she could later repudiate it (unless she had signed) Security Protocols 53

54 IKE Summary Phase 1 establishes IKE SA Phase 2 establishes IPsec SA Both sides have a shared symmetric key 107 IPsec SSL vs IPsec Lives at the network layer (part of the OS) Encryption, integrity, authentication, etc. Is overly complex (some security issues) SSL (and TLS) 108 Lives at socket layer (part of user space) Encryption, integrity, authentication, etc. Relatively simple and elegant specification Security Protocols 54

55 Real world protocols SSL vs IPsec IPsec: OS must be aware, but not apps SSL: Apps must be aware, but not OS SSL built into Web early-on (Netscape) IPsec often used in VPNs (secure tunnel) Reluctance to retrofit applications for SSL IPsec not widely deployed (complexity, etc.) The bottom line Internet less secure than it should be! Protocols S/MIME Security Protocols 55

56 S/MIME (Secure/Multipurpose Internet Mail Extensions) security enhancement to MIME original Internet RFC822 was text only MIME provided support for varying content types and multipart messages (RFC2045) with encoding of binary data to textual form S/MIME added security enhancements (RFC5751) have S/MIME support in many mail agents 111 eg MS Outlook, Mozilla, Mac Mail etc enveloped data S/MIME Functions encrypted content and associated keys signed data encoded message + signed digest clear-signed data clear text message + encoded signed digest signed & enveloped data 112 nesting of signed & encrypted entities Security Protocols 56

57 S/MIME Process 113 S/MIME Cryptographic Algorithms digital signatures: RSA hash functions: SHA-256 (SHA-1 & MD5 backward compatibility) session key encryption: RSA 114 message encryption: AES, 3DES, etc MAC: HMAC with SHA-1, DES-MAC must map binary values to printable ASCII use radix-64 or base64 mapping Security Protocols 57

58 S/MIME Public Key Certificates S/MIME has effective encryption and signature services but also need to manage public-keys S/MIME uses X.509 v3 certificates each client has a list of trusted CA s certs and own public/private key pairs & certs certificates must be signed by trusted CA s Mail certificate Security Protocols 58

59 Real world protocols 117 Kerberos Kerberos In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades Wouldn t it make more sense to guard the exit? In security, Kerberos is an authentication protocol based on symmetric key crypto Originated at MIT Based on work by Needham and Schroeder Relies on a Trusted Third Party (TTP) RFC Security Protocols 59

60 Motivation for Kerberos Authentication using public keys N users N key pairs Authentication using symmetric keys N users requires (on the order of) N 2 keys Symmetric key case does not scale! Kerberos based on symmetric keys but only requires N keys for N users - Security depends on TTP + No PKI is needed 119 Kerberos KDC Kerberos Key Distribution Center or KDC KDC acts as the TTP 120 TTP is trusted, so it must not be compromised KDC shares symmetric key K A with Alice, key K B with Bob, key K C with Carol, etc. Master key K KDC known only to KDC KDC enables authentication, session keys Session key for confidentiality and integrity In practice, crypto algorithm is AES Security Protocols 60

61 Kerberos Tickets KDC issue tickets containing info needed to access network resources KDC also issues Ticket-Granting Tickets or TGTs that are used to obtain tickets Each TGT contains Session key User s ID Expiration time 121 Every TGT is encrypted with K KDC So, TGT can only be read by the KDC Kerberized Login Alice enters her password Then Alice s computer 122 Derives K A from Alice s password Uses K A to get TGT for Alice from KDC Alice then uses her TGT (credentials) to securely access network resources Plus: Security is transparent to Alice Minus: KDC must be secure it s trusted! Security Protocols 61

62 Kerberized Login 123 Alice wants Alice s password a TGT E(S A,TGT,K A ) Alice Computer Key K A = h(alice s password) KDC KDC creates session key S A Alice s computer decrypts S A and TGT Then it forgets K A TGT = E( Alice, S A, K KDC ) Alice Requests Ticket to Bob Talk to Bob 124 I want to talk to Bob REQUEST REPLY Alice Computer REQUEST = (TGT, authenticator) authenticator = E(timestamp, S A ) REPLY = E( Bob, K AB, ticket to Bob, S A ) ticket to Bob = E( Alice, K AB, K B ) KDC gets S A from TGT to verify timestamp TGT = E( Alice, SA, K KDC ) KDC Security Protocols 62

63 Alice Uses Ticket to Bob 125 ticket to Bob, authenticator E(timestamp + 1, K AB ) Alice s Computer Bob ticket to Bob = E( Alice, K AB, K B ) authenticator = E(timestamp, K AB ) Bob decrypts ticket to Bob to get K AB which he then uses to verify timestamp Kerberos Key S A used in authentication For confidentiality/integrity Timestamps for replay protection Recall, that timestamps 126 Reduce the number of messages like a nonce that is known in advance But, time is a security-critical parameter Security Protocols 63